Presence of the specified files and registry entries.
Files that had a specific icon now have a standard executable icon.
Please let BitDefender disinfect your files.
Dan Anton, virus researcher
is a worm that infects executable files in both local drives and network shares.
When executed, the worm copies itself in the following locations:%windows%\uninstall\rundl132.exe
It also drops the following files:%windows%\RichDll.dll
- detected as Win32.Worm.Viking.CM%root-drive%\_desktop.ini
- which contains the date of system infection in the yyyy/mm/dd format
The worm creates the following registry entry as an infection marker:HKLM\SOFTWARE\Soft\DownloadWWW\"auto" = "1"
and also the following autorun value to ensure it is executed at every system start:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"load" = "%windows%\uninstall\rundl132.exe"
The worm is a file infector that searches for executable files (with ".exe" extension) in all local drives and prepends its code to the target files, except files found in folders with the following names:
- Internet Explorer
- ComPlus Applications
- Common Files
- Movie Maker
- MSN Gaming Zone
- Documents and Settings
- System Volume Information
- Windows NT
- \Program Files\
- Windows Media Player
- Outlook Express
- Microsoft Office
- InstallShield Installation Information
- Microsoft Frontpage
In most folders, it will try to infect files containing the following strings:
It also tries to accesses network shared folders using administrator or guest user name and a blank password and searches for executable files to infect.
The worm also tries to terminate processes which contain the following names:
It tries to stop the following service:Kingsoft AntiVirus Service
It also tries to close windows related to the following processes:
The worm injects its ".dll" component (RichDll.dll
) into either iexplorer.exe