Virus:Win32/Viking.JB is a prepending file virus. It also attempts to spread via network shares.
Installation
When executed, Virus:Win32/Viking.JB drops the following file:
- <system folder>\drivers\ncscv32.exe - this file is detected as Worm:Win32/Emerleox.gen!A
It then modifies the registry to execute this file at each Windows start:
Adds value: "nvscv32"
With data: "<system folder>\drivers\ncscv32.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Spreads via…
Network shares
Virus:Win32/Viking.JB attempts to spread via network shares using a simple dictionary attack that utilizes the following usernames and passwords:
000000
007
110
111
1111
111111
11111111
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
1313
2002
2003
2112
2600
5150
520
5201314
54321
654321
6969
7777
88888888
901100
aaa
abc
abc123
abcd
admin
admin
admin123
administrator
alpha
asdf
baseball
ccc
computer
database
enable
fish
fuck
fuckyou
god
godblessyou
golf
Guest
harley
home
ihavenopass
letmein
login
love
mustang
mypass
mypass123
mypc
mypc123
owner
pass
passwd
password
pat
patrick
pussy
pw123
pwd
qq520
qwer
qwerty
root
server
sex
shadow
super
sybase
temp
temp123
test
test123
win
xxx
yxcv
zxcv
It copies itself to the following folders on shared drives in order to launch a copy of itself when Windows is started:
- \Documents and Settings\All Users\Start Menu\Programs\Startup\
- \Documents and Settings\All Users\
- \WINDOWS\Start Menu\Programs\Startup\
- \WINNT\Profiles\All Users\Start Menu\Programs\Startup\
It also attempt to copy itself to unprotected or weak network shares with the file name 'setup.exe'.
Viking.JB then writes an autorun configuration file named 'autorun.inf' pointing to 'setup.exe'. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
File infection
Virus:Win32/Viking.JB also spreads by infecting files with the following file extensions:
EXE
SCR
PIF
COM
It infects these files by prepending a copy of its code to the targeted host file. It avoids infecting files contained in the following folders:
Common Files
ComPlus Applications
Documents and Settings
InstallShield Installation Information
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
MSN
MSN Gamin Zone
NetMeeting
Outlook Express
Recycled
System Volume Information
system32
WINDOWS
Windows Media Player
Windows NT
WindowsUpdate
WINNT
Payload
Terminates processes
Virus:Win32/Viking.JB terminates the following AV software-related processes:
CCenter.exe
FrogAgent.exe
KRegEx.exe
KVCenter.kxp
KvMonXP.kxp
KVSrvXP.exe
KVXP.kxp
Logo_1.exe
Logo1_.exe
Mcshield.exe
msconfig.exe
naPrdMgr.exe
nvscv32.exe
Rav.exe
Ravmon.exe
Ravmond.exe
RavmonD.exe
RavStub.exe
RavTask.exe
regedit.exe
Rundl132.exe
scan32.exe
spo0lsv.exe
spoclsv.exe
sppoolsv.exe
SREng.EXE
Symantec AntiVirus
System Repair Engineer
System Safety Monitor
taskmgr.exe
TBMon.exe
TrojDie.kxp
UIHost.exe
UpdaterUI.exe
VirusScan
VsTskMgr.exe
Wrapped gift Killer
Additional Information
Virus:Win32/Viking.JB creates the file Desktop__.ini in all the folders it searches. The file Desktop__.ini contains the date of infection in the format YYYY-MM-DD.
Analysis by Francis Allan Tan Seng
