Win32/Viking [Threat Name] go to Threat

Win32/Viking.AR [Threat Variant Name]

Category virus
Aliases Trojan-PSW.Win32.Delf.qo (Kaspersky)
  W32/HLLP.Philis.az (McAfee)
  W32.Looked.P (Symantec)
Short description

Win32/Viking.AR is a prepending virus . It is able to spread via shared folders.

Installation

When executed, the virus copies itself into the %windir% folder using the following name:

  • rundl123.exe

The following files are dropped in the same folder:

  • Dll.dll
  • Logo1_.exe

The library is loaded and injected in the following processes:

  • explorer.exe
  • iexplore.exe

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "load" = "%windir%\­rundl132.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Soft\­DownloadWWW]
    • "auto" = "1"
Spreading

The virus searches for executables on local drives.


Only files with the following names are infected:

  • ACDSee4.exe
  • ACDSee5.exe
  • ACDSee6.exe
  • AgzNew.exe
  • Archlord.exe
  • AutoUpdate.exe
  • autoupdate.exe
  • BNUpdate
  • Datang.exe
  • editplus.exe
  • EXCEL.EXE
  • flashget.exe
  • foxmail.exe
  • FSOnline.exe
  • GameClient.exe
  • install.exe
  • jxonline_t.exe
  • launcher.exe
  • lineage.exe
  • LineageII.exe
  • MHAutoPatch.exe
  • Mir.exe
  • msnmsgr.exe
  • msnmsgr.exe
  • Mu.exe
  • my.exe
  • NATEON.exe
  • NSStarter.exe
  • Patcher.exe
  • patchupdate.exe
  • QQ.exe
  • Ragnarok.exe
  • realplay.exe
  • run.exe
  • setup.exe
  • Silkroad.exe
  • Thunder.exe
  • ThunderShell.exe
  • TTPlayer.exe
  • Uedit32.exe
  • Winrar.exe
  • WINWORD.EXE
  • woool.exe
  • zfs.exe

If a folder name matches one of the following strings, files inside it are not infected:

  • Windows NT
  • Program Files
  • WindowsUpdate
  • Windows Media Player
  • Outlook Express
  • Internet Explorer
  • ComPlus Applications
  • NetMeeting
  • Common Files
  • Messenger
  • Microsoft Office
  • InstallShield Installation Information
  • MSN
  • Microsoft Frontpage
  • Movie Maker
  • MSN Gaming Zone
  • C:\­WINNT\­System3
  • system32
  • winnt
  • windows
  • Recycled
  • Documents and Settings
  • System Volume Information

When searching a folder a hidden file is created in it.


Its name is the following:

  • _desktop.ini

The virus also searches for executables in shared folders of remote machines.


Filenames are not checked, any executable can be infected.


The file is prepended to host executables.


When an infected file is executed, the original program is being dropped into a temporary file and run.

Other information

The following programs are terminated:

  • EGHOST.EXE
  • IPARMOR.EXE
  • KAVPFW.EXE
  • MAILMON.EXE
  • mcshield.exe
  • RavMon.exe
  • Ravmond.EXE
  • regsvc.exe

The virus contains a list of URLs.


It tries to download several files from the addresses.


The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.