Win32.Worm.Viking.BU( Viking, Looked )
SYMPTOMS: Presence of the specified files and registry entries.Files that had a specific icon now have a standard executable icon. TECHNICAL DESCRIPTION: Win32.Worm.Viking.BU is a worm that infects executable files in both local drives and network shares.When executed, the worm copies itself in the following locations: %windows%\uninstall\rundl132.exe %windows%\Logo1_.exe It also drops the following files: %windows%\RichDll.dll - detected as Win32.Worm.Viking.GL %root-drive%\_desktop.ini - which contains the date of system infection in the yyyy/mm/dd format The worm creates the following registry entry as an infection marker: HKLM\SOFTWARE\Soft\DownloadWWW\"auto" = "1" and also the following autorun value to ensure it is executed at every system start: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"load" = "%windows%\uninstall\rundl132.exe" The worm is a file infector that searches for executable files (with ".exe" extension) in all local drives and prepends its code to the target files, except files found in folders with the following names:
In most folders, it will try to infect files containing the following strings:
It also tries to accesses network shared folders using administrator or guest user name and a blank password and searches for executable files to infect. The worm also tries to terminate processes which contain the following names:
It tries to stop the following service: Kingsoft AntiVirus Service It also tries to close windows related to the following processes:
The worm injects its ".dll" component (RichDll.dll) into either iexplorer.exe or explorer.exe process. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Dan Anton, virus researcher |