Virus:W32/Viking.B
Date discovered:30/05/2007
Type:File infector
In the wild:Yes
Reported Infections:Medium to high
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:No
File size:72.100 Bytes
IVDF version:6.38.01.205 - Wednesday, May 30, 2007

 General Methods of propagation:
   • Infects files
   • Local network


Aliases:
   •  Symantec: W32.Looked.BK
   •  Mcafee: W32/HLLP.Philis.kc
   •  Kaspersky: Worm.Win32.Viking.lf
   •  Sophos: W32/Looked-DE
   •  VirusBuster: Win32.HLLP.Viking.JD
   •  Eset: Win32/Viking.CH
   •  Bitdefender: Win32.Worm.Viking.NCI


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops a malicious file
   • Infects files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\uninstall\rundl132.exe
   • %WINDIR%\Logo1_.exe



It deletes the initially executed copy of itself.



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\$$a5.tmp

%TEMPDIR%\$$a5.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%WINDIR%\RichDll.dl Further investigation pointed out that this file is malware, too. Detected as: W32/Viking.B

%executed file% Furthermore it gets executed after it was fully created. This is the original version of the file before infection.



It tries to download some files:

– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********


– The location is the following:
   • www.08325.cn/**********

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "load"="%WINDIR%\uninstall\rundl132.exe"



The following registry key is added:

– [HKLM\Software\Soft\DownloadWWW\]
   • "auto"="1"

 File infection Infector type:

Prepender - The virus code is added at the begining of the infected file.


Stealth:
 No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.


Method:

This memory-resistent infector remains active in memory.


Infection length:

Approximately 72.000 Bytes


The following files are infected:

By file type:
   • *.exe

Files in any of the following directories:
   • %all directories%
   • %network shares%

 Process termination  The following service is disabled:
   • Kingsoft AntiVirus Service

 Miscellaneous Mutex:
It creates the following Mutex:
   • VIRUS_ASMAPING_XZASDWRTTYEEWD82473M

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PolyEnE 0.01+

Description inserted by Daniel Constantin on Thursday, February 11, 2010
Description updated by Daniel Constantin on Thursday, February 11, 2010

Back . . . .