Systweak Spyware Library
Systweak Spyware Library text
More than 1126248 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Worm.Viking.lr Analysis Report
Threat Submitted On: 4/6/2008 7:54:55 AM
Threat Analysed On: 4/6/2008 12:54:55 PM
Threat Updated On: 10/7/2009 5:34:52 PM
Type : Worm
Symptoms of Viking.lr
  • Replicates itself and spreads to the other computers of the network.
  • Installed by executing the scripts from infected e-mail attachments or messages.
Information
Alias : Worm.Win32.Viking.lr
Md5 Hash : [859f7aea60e32cf9c2bed1c4bf69cf93]
File Size : (128620 bytes)

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: dir2file.exe
Path : %networkpath%

Md5Hash :b47bf847ac8c5edf8993f04e6304c78d ( 156160 bytes)
File: dir2file.exe.exe
Path : %networkpath%

Md5Hash :( bytes)
File: logo1_.exe
Path : %networkpath%

Md5Hash :( bytes)
File: dir2file.exe.exe
Path : %programfiles%\dir2file

Md5Hash :( bytes)
File: _desktop.ini
Path : %systemdrive%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
a013a253523adb058455a421132dc4fc ( 8 bytes)
f925bf06daeef6362240b3b22e13364f ( 9 bytes)
File: ayumi_hamasaki.exe
Path : %systemdrive%

Md5Hash :3447d7b911003ff22e5e708274b44b1d ( 156216 bytes)
File: ayumi_hamasaki.exe.exe
Path : %systemdrive%

Md5Hash :( bytes)
File: $$a5.bat
Path : %temp%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
359f537c106cb239aa9fc23ac96f9f79 ( bytes)
394f26b785a7cb3f31f4bfcbbf49d57e ( 402 bytes)
7ad4ebde72ecd6679b41f56ce443e6b0 ( bytes)
7b3b9ac4ccee8f34bcd1d483137a704a ( bytes)
cbe8d035e723fa7aaa18e159eebb8895 ( bytes)
File: 53db_appcompat.txt
Path : %temp%

Md5Hash :f040ee73d1b278fb07a7ea657572bce1 ( 29006 bytes)
File: d801_appcompat.txt
Path : %temp%

Md5Hash :f040ee73d1b278fb07a7ea657572bce1 ( 29006 bytes)
File: ie558d.tmp
Path : %temp%

Md5Hash :( bytes)
File: ied869.tmp
Path : %temp%

Md5Hash :( bytes)
File: logo1_.exe
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
2e0b09ccb4acfa87de511ba3e2ca8f43 ( 95232 bytes)
b7e7e23ce4c05a4df5cfc2ac465dcdaa ( 95232 bytes)
f1b20e26414cc0c4098df574b2c8eadf ( 95232 bytes)
File: richdll.dll
Path : %windir%

Md5Hash :c71f554cd77d4b21e4253f3fc838fe6a ( 16072 bytes)
File: del.bat
Path : %windir%\system32

Md5Hash :82709d680b9b9c190b26ee544c2f2359 ( bytes)
File: rundl132.exe
Path : %windir%\uninstall

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
2e0b09ccb4acfa87de511ba3e2ca8f43 ( 95232 bytes)
b7e7e23ce4c05a4df5cfc2ac465dcdaa ( 95232 bytes)
f1b20e26414cc0c4098df574b2c8eadf ( 95232 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
2469432924c2f7e65cc21bfd54d43abc ( 33398 bytes)
35502d1807819571f939f2823772004c ( bytes)
4d92f8277057cab1277f4d2fe58797ae ( 8901632 bytes)
859f7aea60e32cf9c2bed1c4bf69cf93 ( 128620 bytes)
dbbf571a205688a6ba26e9d27a1ef054 ( 128619 bytes)
File: [randomname].exe.exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
181dbdbebb2bd13df40c6a20264c9b2e ( bytes)
2469432924c2f7e65cc21bfd54d43abc ( bytes)
2b32422edc84fcc8c013f8baf8fa87d5 ( bytes)
bc1b9cd744e6b5125ce5bfb6dd7530eb ( bytes)
be5f9b0a8c2f3891c78939087e616523 ( bytes)
File: logo1_.exe
Path : \10.10.36.1\admin$

Md5Hash :( bytes)
File: new folder.exe
Path : \10.10.36.2\cshare

Md5Hash :( bytes)
File: new folder.exe.exe
Path : \10.10.36.2\cshare

Md5Hash :( bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : dir2file.exe
Path : %networkpath%

Md5Hash :e8bf4f790ab6a3f46dee58747c2507be ( 60928 bytes)
File : dir2file.exe
Path : %programfiles%\dir2file

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
4b69825a8bbd94ebf3034b15ff7baea0 ( 156160 bytes)
54c399d09164a8789355c82f78c0cd6c ( 156160 bytes)
b47bf847ac8c5edf8993f04e6304c78d ( 156160 bytes)
File : 1628d.dmp
Path : %temp%

Md5Hash :d41d8cd98f00b204e9800998ecf8427e ( 0 bytes)
File : 1ed58.dmp
Path : %temp%

Md5Hash :d41d8cd98f00b204e9800998ecf8427e ( 0 bytes)
File : desktop.ini
Path : %userprofile%\local settings\history

Md5Hash :d332ce83b166d5c244d22587ad75aac4 ( 113 bytes)
File : dir2file.exe
Path : \10.10.36.1\cshare\program files\dir2file

Md5Hash :e8bf4f790ab6a3f46dee58747c2507be ( 60928 bytes)
File : dir2file.exe
Path : \10.10.36.2\cshare\program files\dir2file

Md5Hash :e8bf4f790ab6a3f46dee58747c2507be ( 60928 bytes)
Creates the following infected Registry Keys on user's System
Note:
Delete these Registries to remove Infection
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
description = "bc7f5df6"
|__ Value Added :
displayname = "7eda8fb5"
|__ Value Added :
imagepath = "%windir%\system32\6357e292.exe -k"
|__ Value Added :
objectname = "localsystem"
|__ Value Added :
load = "%windir%\uninstall\rundl132.exe"
Creates the following child process(s) on execution:

net stop kingsoft antivirus service

%systemdrive%\docume~1\antisp~1\locals~1\temp\$$a5.bat

%windir%\logo1_.exe

net1 stop kingsoft antivirus service

%workingdir%\[random name].exe

services.exe

%programfiles%\internet explorer\iexplore.exe

%programfiles%\internet explorer\iedw.exe -h 768

%windir%\system32\dwwin.exe -x -s 2000

Creates the Following MUTEX(s) on user's System:-
iexplore.xpexceptionfilter
raspbfile
Copies the Following Files to Given Location :-

Copies :%windir%\logo1_.exe

To : \10.10.36.2\admin$\logo1_.exe

Copies :%windir%\logo1_.exe

To : \10.10.36.3\admin$\logo1_.exe

Copies :%windir%\logo1_.exe

To : \10.10.36.4\admin$\logo1_.exe

Moves the Following Files to Given Location :-
Moves :%workingdir%\[random name].exe.exe
To : %workingdir%\[random name].exe
Moves :%programfiles%\dir2file\dir2file.exe.exe
To : %programfiles%\dir2file\dir2file.exe
Moves :\10.10.36.2\cshare\program files\dir2file\dir2file.exe.exe
To : \10.10.36.2\cshare\program files\dir2file\dir2file.exe
Moves :\10.10.36.3\cshare\program files\dir2file\dir2file.exe.exe
To : \10.10.36.3\cshare\program files\dir2file\dir2file.exe
Moves :\10.10.36.4\cshare\data\b059ac44f0d3643e5cee672f696ae30d.exe.exe.exe
To : \10.10.36.4\cshare\data\b059ac44f0d3643e5cee672f696ae30d.exe.exe
Moves :\10.10.36.4\cshare\program files\dir2file\dir2file.exe.exe
To : \10.10.36.4\cshare\program files\dir2file\dir2file.exe

NOTE:

1. %networkpath% Refers to the any network location on Local Area Network(LAN).
2. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'
3. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
4. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
5. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
6. %workingdir% Refers to the current directory in which user is working.
7. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2009 All rights reserved.