Home / malware Viking.H
First posted on 01 March 2007.
Source: SecurityHomeAliases :
Viking.H is also known as DR/Muldrop.1417.C, W32/Viking.I, Win32/Viking.H, W32/Looked.B, PE_LEGMIR.KO, W32.Looked.H, Worm.Win32.Viking.h, W32/Philis-K, W32/HLLP.Philis.q, W32/Viking.J, W32.Philis.P.
Explanation :
Viking.H, a variant of Viking, is a Virus. Viking.H creates files in the Windows directory and downloads and runs a file from website: [http://www.54088.org/backup/[REMOVED]1.exe
Viking.H kills processes belonging to anti-virus and security software.
cription
- Logo1_.exe - Infector
- vDll.dll - Downloader
The .DLL component is injected into IEXPLORE.EXE.
Viking.H adds the following registry entry as a part of its installation:
- [HKLMSOFTWARESoftDownloadWWW]
auto = "1"
It creates the following text files where it writes some information related to its activities:
- C:gamevir.txt
- C:log.txt
Viking.H is a prepending virus that searches for files starting from fixed drives from the Z: to C: drives.
It infects files with the following extension:
- exe
It avoids infecting files with the following strings in its path or filename:
- Program Files
- Common Files
- ComPlus Applications
- Documents and Settings
- InstallShield Installation Information
- Internet Explorer
- Messenger
- Microsoft Frontpage
- Microsoft Office
- Movie Maker
- MSN
- MSN Gaming Zone
- NetMeeting
- Outlook Express
- Recycled
- system
- System Volume Information
- system32
- windows
- Windows Media Player
- Windows NT
- WindowsUpdate
- winnt
In order for the host file to execute, Viking.H creates a backup copy of the itself in the current directory as [filename].exe.exe and then drops and executes the original uninfected host file as [filename].exe. After which, it will now delete the uninfected host file and renames the backup file to the original filename. Viking.H is able to do this with the help of a temporary batch file created in the temporary folder as $$.bat.
Viking.H sends the message "Hello, World" to the following IP address via Internet Control Message Protocol (ICMP) :
- 192.168.0.30
- 192.168.8.1
It also attempts to propagate via network shares by copying itself to the following shared folders:
- admin$
- ipc$
- with the following accounts:
- administrator
- guest
It stops the following service:
- "Kingsoft AntiVirus Service"
It terminates the following processes that are often related to Anti-virus products:
- EGHOST.EXE
- IPARMOR.EXE
- KAVPFW.EXE
- MAILMON.EXE
- RavMon.exe
- RavMonClass
Viking.H attempts to download and execute files from the following site:
- http://www.54088.org/backup/[REMOVED]1.exe
Note: This site is already down.
Last update 01 March 2007