Virus:Win32/Viking.LK is a prepending virus that infects '.exe' files. It also attempts to download files from a remote location.
Installation
When a file infected with Virus:Win32/Viking.LK is executed, the virus drops the following files:
- %windir%\Logo1_.exe - a copy of the virus' code
- %windir%\uninstall\rundl132.exe - a copy of the virus' code
- %windir%\RichDll.dll -used for downloading files (see Payload section below for additional detail)
- %temp%\$$a3.bat - a batch file
It then modifies the registry to execute %windir%\uninstall\rundl132.exe at each Windows start:
Adds value: "load"
With data: "%windir%\uninstall\rundl132.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also makes the following further registry modification:
Adds value: "auto"
With data: "1"
To subkey: HKLM\SOFTWARE\Soft\DownloadWWW
Spreads Via…
File Infection
Virus:Win32/Viking.LK infects files with an '.exe' extension, by prepending its code to that of the targeted host. However, it avoids infecting files that contain the following strings in its path or filename:
InstallShield Installation Information
System Volume Information
Windows Media Player"
Documents and Settings
ComPlus Applications
Microsoft Frontpage
Internet Explorer
Outlook Express
\Program Files\
MSN Gaming Zone
WindowsUpdate
Common Files
Windows NT
NetMeeting
Movie Maker
Messenger
Recycled
system32
system
windows
winnt
When an infected file is run, the virus drops a copy of the host file in the current directory using its original filename but with an additional '.exe' extension. For example, if an infected 'calc.exe' was executed, it would drop a copy of the host to 'calc.exe.exe'. It then deletes the infected file, renames the host to its original filename (with only one '.exe' extension) and executes the host. The virus accomplishes these tasks using the batch file %temp%\$$a3.bat.
Payload
Downloads and Executes Arbitrary Files
The virus injects %windir%\RichDll.dll to explorer.exe and then attempts to download files from the 'www1.cw988.cn' domain. At the time of publishing, the files it targets were not available.
In the wild, Win32/Viking variants have often been observed to download members of the Win32/Lineage family of password-stealing trojans.
Terminates Processes
Virus:Win32/Viking.LK terminates the following AV software-related processes:
avp.exe
EGHOST.EXE
IPARMOR.EXE
MAILMON.EXE
mcshield.exe
RavMon.exe
Ravmond.EXE
regsvc.exe
KAVPFW.EXE
KRegEx.exe
KVMonXP.KXP
KVXP.KXP
It also stops the following service:
Kingsoft AntiVirus Service
Additional Information
The virus creates the following mutex to ensure only one instance of itself runs in memory:
VIRUS_ASMAPING_XZASDWRTTYEEWD82473M
It also creates the following event:
DWONS_ASMAPING_XADADAKEUPOIUY98753M
Note: If the "Code Page Identifier" for the system is Chinese simplified the virus will not infect the system.
Analysis by Francis Allan Tan Seng
