My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Viking.CL

LOW
MEDIUM
~ 60 kB
(Viking, Looked)

Symptoms

Presence of the specified files and registry entries.
Files that had a specific icon now have a standard executable icon.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dan Anton, virus researcher

Technical Description:

Win32.Worm.Viking.CL is a worm that infects executable files in both local drives and network shares.

When executed, the worm copies itself in the following locations:

%windows%\uninstall\rundl132.exe
%windows%\Logo1_.exe


It also drops the following files:
%windows%\RichDll.dll - detected as Win32.Worm.Viking.CM
%root-drive%\_desktop.ini - which contains the date of system infection in the yyyy/mm/dd format

The worm creates the following registry entry as an infection marker:
HKLM\SOFTWARE\Soft\DownloadWWW\"auto" = "1"

and also the following autorun value to ensure it is executed at every system start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"load" = "%windows%\uninstall\rundl132.exe"

The worm is a file infector that searches for executable files (with ".exe" extension) in all local drives and prepends its code to the target files, except files found in folders with the following names:
  • Internet Explorer
  • ComPlus Applications
  • NetMeeting
  • Common Files
  • Messenger
  • Movie Maker
  • MSN Gaming Zone
  • system
  • system32
  • winnt
  • windows
  • Recycled
  • Documents and Settings
  • System Volume Information
  • _desktop.ini
  • Windows NT
  • \Program Files\
  • WindowsUpdate
  • Windows Media Player
  • Outlook Express
  • Microsoft Office
  • InstallShield Installation Information
  • MSN
  • Microsoft Frontpage

In most folders, it will try to infect files containing the following strings:
  • setup
  • install
  • EXCEL
  • WINWORD
  • msnmsgr
  • NATEON
  • editplus
  • Winrar
  • Thunder
  • ThunderShell
  • flashget
  • TTPlayer
  • realplay
  • foxmail
  • Uedit32
  • ACDSee4
  • ACDSee5
  • ACDSee6
  • GameClient
  • AgzNew
  • Patcher
  • MHAutoPatch
  • Silkroad
  • BNUpdate
  • jxonline
  • FSOnline
  • AutoUpdate
  • Ragnarok
  • launcher
  • autoupdate
  • Datang
  • LineageII
  • Archlord
  • woool
  • patchupdate
  • NSStarter
  • lineage

It also tries to accesses network shared folders using administrator or guest user name and a blank password and searches for executable files to infect.

The worm also tries to terminate processes which contain the following names:
  • RavMon
  • RavMonClass
  • EGHOST
  • MAILMON
  • KAVPFW
  • IPARMOR
  • Ravmond
  • regsvc
  • mcshield

It tries to stop the following service:
Kingsoft AntiVirus Service

It also tries to close windows related to the following processes:
  • RavMon.exe
  • avp.exe

The worm injects its ".dll" component (RichDll.dll) into either iexplorer.exe or explorer.exe process.