Virus

W32/Viking.P

Analysis

  • Samples are packed with Upack.
  • Drops a copy of itself to the Windows folder as rundl132.exe.
    Registry Modification
  • Adds the following registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW
      auto = "1"
  • Adds the following registry entry in Windows 9x systems:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      load = "undefinedWindowsundefined\rundl132.exe"
  • Modifies the following registry entry in Windows NT-based systems:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
      load = "undefinedWindowsundefined\rundl132.exe" (Default is "")

    Infection Method
  • Drops the file viDll.dll  to the current folder. This file is detected as W32/HLLP.AG!worm.
  • Scans all folders and subfolders for EXE files to infect. It drops the file _desktop.ini  to the folders that it has scanned. This file contains the current date in the format YYYY/MM/DD.
  • Prepends itself to files in order to infect them. When infected files are executed, it removes itself from the file, making the file clean. However, the infection routine is still executed, thereby infecting other files.

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.