Virus:Win32/Viking.gen!B is a generic detection of files that are infected with the Win32/Viking virus. The virus spreads by infecting executable files, and by copying itself to network shares and removable drives. It also kills security related software and downloads additional malware.
Installation
When a file infected by Virus:Win32/Viking.gen!B is executed, it drops and launches the virus' code. One observed example copied its code to <system folder>\drivers\txp1atform.exe.
Virus:Win32/Viking.gen!B then drops and launches the original copy of the infected host file in the current folder.
Virus:Win32/Viking.gen!B also drops and launches a batch file which it uses to overwrite itself with the original uninfected host file.
Spreads via…
File infection
Virus:Win32/Viking.gen!B searches for executable files (with file extensions .EXE, .SCR, .PIF, .COM) to infect on drives C:\ to Z:\. It infects targeted files by appending its code to that of the host. It also drops a non-malicious file named "Desktop_1.ini" into each folder it has searched which it uses as an infection marker.
Virus:Win32/Viking.gen!B also searches for files with file extensions .htm, .html, .asp, .php, .jsp and .aspx and inserts an invisible IFrame into these files which refers to a malicious site. In the wild, we observed this method being used to direct users to www.xinxinbaidu.com.cn.
Network shares
Virus:Win32/Viking.gen!B enumerates network shares and tries to brute force the password by using a simple dictionary attack. It uses the following list of passwords for this purpose.
000000
1111
11111111
1234
12345
123456
1234567
12345678
123456789
1313
2112
5150
5201314
54321
654321
6969
7777
admin
basebal
fish
golf
harley
letmein
mustang
password
qq520
qwerty
shadow
….
If it is successful, it copies itself to the network share using a variable filename. In the wild we observed one variant of Virus:Win32/Viking.gen!B copying itself with the file name "Cool_GameSetup.exe" in this way.
Removable drives
Virus:Win32/Viking.gen!B copies itself and drops a file named autorun.inf to the root folder of each accessible drive. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically. Both files are hidden and we observed one variant of Virus:Win32/Viking.gen!B copying itself with the file name "íííííí.exe".
Virus:Win32/Viking.gen!B periodically modifies the following registry entries to run itself at system start. It also ensures that hidden files can't be seen and are executed when the drive is accessed by Windows Explorer.
Adds value: "Explorer"
With data: "<copied virus body file>" e.g. "<system folder>\drivers\txp1atform.exe"
To key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "CheckedValue"
With data: 0
To key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "NoDriveTypeAutoRun"
With data: 0x80
To key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Payload
Modifies system security
Virus:Win32/Viking.gen!B drops and loads a device driver component which it uses to disable security software's real-time protection. In the wild we observed one variant dropping this driver to "C:\z1.tmp". This file was detected as VirTool:WinNT/Rootkitdrv.GO.
Contacts remote host
Virus:Win32/Viking.gen!B periodically launches a new instance of Internet Explorer in the background in order to access certain web pages. In the wild we observed Virus:Win32/Viking.gen!B contacting the following domains in this manner:
- www.xinxinbaidu.com.cn
- www.daohang08.com
Terminates security services/Modifies security settings
Virus:Win32/Viking.gen!B periodically terminates and deletes the following services and also deletes the following registry entries. These services and registry entries may be associated with various security applications.
AVPFireSvc
KPfwSvc
McAfeeFramework
McShield
McTaskManager
MskService
NPFMntor
RsCCenter
RsCCenter
RsRavMon
RsRavMon
SNDSrvc
SPBBCSvc
Schedule
Symantec Core LC
ccEvtMgr
ccProxy
kavsvc
navapsvc
sharedaccess
wscsvc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVP
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
Virus:Win32/Viking.gen!B periodically terminates the following processes, which may be related to security applications:
safeboxTray.exe
360Safe.exe
360safebox.exe
360tray.exe
Downloads and executes arbitrary files
Virus:Win32/Viking.gen!B gets URLs from a remote server and downloads additional malware from the specified URL. In the wild we observed this malware contacting the googlesyndication.doctorout.com domain for this purpose, although at the time of publishing the provided URL was no longer available.
Analysis by Shawn Wang
