Trojan:Win32/Viking.IT may terminate a running service and attempt to download other malicious files from predefined remote Web servers.
Installation
When run, Win32/Viking.IT drops a copy of itself as '%windir%\rundl132.exe', and modify the registry to execute this copy at each Windows start.
Adds value: load
With data: "%windir%\rundl132.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Win32/Viking.IT may drop a DLL component into the current folder as 'vdll.dll', and add registry data related to a file download payload.
Adds value: auto
With data: "1"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\
Payload
Terminates Service
Win32/Viking.IT may execute the following shell instruction using the Windows utility 'net.exe' to terminate a service:
net stop "Kingsoft AntiVirus Service"
Downloads Files
Win32/Viking.IT may attempt to download files from the domain 'jcwz.net'. Files are downloaded to the Windows folder, and then executed. Win32/Viking.IT may add registry data, such as the following:
Adds value: ver_down0
With data: "mz."
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
Adds value: "%windir%\<downloaded executable filename>
With data: "<downloaded executable filename>"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\
Adds value: ProgramCount
With data: "2"
To subkey: HKEY_CURRENT_USER\SessionInformation
Win32/Viking.IT may connect with other Web sites such as the following:
222.77.178.218
97725.com
At the time of this writing, the files requested were no longer available.
Analysis by Andrei Florin Saygo
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
To turn on the Windows Firewall in Windows Vista
Click Start, and click Control Panel.
Click Security.
Click Turn Windows Firewall on or off.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information,
see http://www.microsoft.com/protect/computer/viruses/vista.mspx.Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
