Viking.GT

This is a worm with file infecting capabilities. Standalone file size : 68303 bytes.When it first executes on a machine it installs itself and creates registry entries to make sure it is run from bootup. It also installs a number of files:File system changes:%WINDIR%\uninstall\rundl132.exe%WINDIR%\Logo_1.exe%WINDIR%\RichDll.dll%root%\_desktop.iniInfects executable files.May leave temporary BAT files in various locations and with semi-random names.The files rundl132.exe and Logo_1.exe are identical and contain the main worm, while the DLL file RichDll.dll is a backdoor/downloader trojan. _desktop.ini is a text file that contains the date of infection.File infection procedure:The virus looks for files to infect in two possible ways; first by enumerating mapped drives from C: to Z and searching for executable files in these, and also by connecting to network shares it gets access to and searching these. If an eligible file is found, the virus makes a temporary copy of this using the original file name but with an extra “.exe” extension, and proceeds to infect this by prepending its own code. It then deletes the original file and renames the temporary copy (now infected) back to the original name. Sometimes, if for some reason it cannot remove the original file, the virus circumvents this problem by making a temporary looping batch file that will delete the original file and install the infected file once the file becomes deletable – f.ex. if the application in question is closed. The virus will not infect files that are over 16MB in size or files residing under the following folders:systemsystem32windowsDocuments and SettingsSystem Volume InformationRecycledwinntProgram FilesWindows NTWindowsUpdateWindows Media PlayerOutlook ExpressInternet ExplorerComPlus ApplicationsNetMeetingCommon FilesMessengerInstallShield Installation InformationMicrosoft FrontpageMovie MakerMSN Gaming ZoneRegistry changes:HKLM\Software\Microsoft\Windows\CurrentVersion\Run load=%WINDIR%\uninstall\rundl132.exeHKLM\Software\Soft\DownloadWWW auto = 1Network activity: The worm pings the local subnet to establish whether machines are available, using the string “Hello,World!” as request data.  It then attempts to log on to found machines using the WNetAddConnection API, with the following combinations for username/passwords:administrator/no passwordadministrator/default passworddefault user/default passwordno user/no passwordIf it finds machines that it can connect to, it will attempt to copy itself over as a standalone file to the remote ADMIN$ share, using the file name it is currently running under (be it rundl132.exe or logo_1.exe). If it has been granted administrator rights on the remote machine it then proceeds to set the remote file up as a sceduled task on the remote machine using NetScheduleJobAdd. If it is unable to connect to the ADMIN$ share, or if it is running under Win9x/ME, it finds visible shares on the machine using Windows Networking and attempts to connect to these using the following credentials:default user/default passworddefault user/no passwordIf connection is successful, it attempts to infect files remotely using the file infection procedure described above. This procedure also happens once the worm is done pinging the 255 lowest IP’s on the local network, it then starts enumerating network resources looking for shares and files to infect in the same manner.

URL: http://www.norman.com/Virus/Virus_descriptions/45535