Worm.Win32.Viking.a

From Total Malware Info

Worm that spreads itself on the victim’s hard drive. It is Windows executable (PE-EXE file). File is 67 072 bytes in size.

Installation

Extracts the following file from its body into work directory:

%WorkDir%\virDll.dll – is 17 920 bytes in size.

Copies own executable file as:

%WinDir%\Logo1_.exe

Payload

Terminates the following processes:

EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
KWatchUI.EXE
IPARMOR.EXE
RavMon.exe

Executes shell command:

net stop "Kingsoft AntiVirus Service"

Adds the following text:

66.197.186.149 www.hinet.net
66.197.186.149 www.pchome.com.tw
66.197.186.149 www.msn.com.tw
66.197.186.149 www.yam.com
66.197.186.149 www.google.com.tw
66.197.186.149 www.gamer.com.tw
66.197.186.149 www.taiwankiss.com
66.197.186.149 www.sina.com.tw
66.197.186.149 www.so-net.net.tw
66.197.186.149 www.url.com.tw
66.197.186.149 www.uhome.net
66.197.186.149 www.gamania.com
66.197.186.149 www.104.com.tw
66.197.186.149 www.tp.edu.tw
66.197.186.149 www.seed.net.tw
66.197.186.149 www.tw18.com
66.197.186.149 www.gamebase.com.tw
66.197.186.149 www.hello.com.tw
66.197.186.149 www.taiwandns.com
66.197.186.149 www.ithome.com.tw
66.197.186.149 www.cartoonnetwork.com.tw
66.197.186.149 bubble.com.tw
66.197.186.149 tw.ebay.com
66.197.186.149 www.microsoft.com
66.197.186.149 www.oc-gamer.com
66.197.186.149 www.igame.com.tw
66.197.186.149 www.funtown.com.tw
66.197.186.149 www.softstar.com.tw
66.197.186.149 service.gamania.com
66.197.186.149 www.gamezone.idv.tw
66.197.186.149 www.ggame.com.tw
66.197.186.149 www.gamestation.com.tw
66.197.186.149 www.lineage2.com.tw
66.197.186.149 tw.games.yahoo.com
66.197.186.149 www.iogc.com.tw
66.197.186.149 www.transakt.com.tw
66.197.186.149 www.softking.com.tw
66.197.186.149 www.sex141.com
66.197.186.149 service.gamania.com
66.197.186.149 www.x-legend.com.tw
66.197.186.149 www.lineage2.com.tw
66.197.186.149 dir.pchome.com.tw
66.197.186.149 groups.msn.com
66.197.186.149 www.microsoft.com
66.197.186.149 www.trendmicro.com
66.197.186.149 www.symantec.com
66.197.186.149 www.trend.com.tw
66.197.186.149 toget.pchome.com.tw
66.197.186.149 www.y2000.com.tw
66.197.186.149 www.jiangmin.com
66.197.186.149 liveupdate.symantecliveupdate.com
66.197.186.149 update.symantec.com
66.197.186.149 www.kaspersky.com
66.197.186.149 www.kaspersky.com.tw
66.197.186.149 www.pandasecurity.com
66.197.186.149 www.pandasoftware.com
66.197.186.149 www.rising-global.com
66.197.186.149 www.rising.com.cn
66.197.186.149 www.rising-hk.com
66.197.186.149 www.kingsoft.net
66.197.186.149 db.kingsoft.com
66.197.186.149 scan.kingsoft.com
66.197.186.149 www.antivirus.com
66.197.186.149 www.pc-cillin.com
66.197.186.149 www.pc-cillin.com.tw
66.197.186.149 online.rising.com.cn
66.197.186.149 www.duba.net
66.197.186.149 online.jiangmin.com
66.197.186.149 online.kingsoft.net
66.197.186.149 www.ahn.com.cn
66.197.186.149 www.giga.net.tw
66.197.186.149 www.etwebs.com
66.197.186.149 www.kgex.com.tw
66.197.186.149 www.cht.com.tw
66.197.186.149 www.hib2b.com.tw
66.197.186.149 www.onlinenet.com.tw
66.197.186.149 www.apbb.com.tw
66.197.186.149 www.gigigaga.com
66.197.186.149 www.anet.net.tw
66.197.186.149 www.hichannel.com.tw
66.197.186.149 www.apbw.com
66.197.186.149 www.cablehome.com.tw
66.197.186.149 www.gigatv.com.tw
66.197.186.149 www.postadult.com
66.197.186.149 www.gaultier-x.com
66.197.186.149 www.xxxpanda.com
66.197.186.149 ejokeimg.pchome.com.tw
66.197.186.149 bbs.sina.com.tw
66.197.186.149 www.girl-tw.com
66.197.186.149 www.kuro.com
66.197.186.149 www.kuro.com.tw
66.197.186.149 www.taconet.com.tw
66.197.186.149 www.taiwan.com
66.197.186.149 times.hinet.net
66.197.186.149 windowsupdate.microsoft.com
66.197.186.149 update2.avp.ch
66.197.186.149 downloads1.kaspersky-labs.com

to the contents of the following file: %System%\drivers\hosts and in such way redirects requests to the sites listed above to fake address.

Infects files with “.exe” extensions which are Windows (PE-EXE files) located on all fixed drives and shared network folders, except those that contains one of the following strings in its name:

system
system32
windows
Documents and Settings
System Volume Information
Recycled
winnt
\Program Files\
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
Microsoft Frontpage
Movie Maker
MSN Gaming Zone

Also worm does not infect files greater then 10 485 760 bytes in size. While infecting, worm writes its body to the beginning of file being infected and shifts the original contents down right after its own body.

Creates the following registry key:

[HKLM\SOFTWARE\Soft\DownloadWWW]

Downloads file from the following URL:

http://www.twavgirl.com/1.exe

saves it as:

%WinDir%\1.exe

and then launches it.

Removal Instructions

1. Terminate worm process (possible name: Logo1_.exe).
2. Remove the following registry key:

   [HKLM\SOFTWARE\Soft\DownloadWWW]
   

3. Delete files:

   %WorkDir%\virDll.dll
   %WinDir%\Logo1_.exe
   %WinDir%\1.exe
   

4. Restore the original contents of %System%\drivers\hosts, usually contains following string:

   127.0.0.1       localhost
   

5. Remove all infected files from your hard drive.