We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Worm:Win32/Viking.NA
Detected by Microsoft Defender Antivirus
Aliases: Win32/Emerleox.HQ (CA) W32/AutoRun.ABRA (Norman) Win32/AutoRun.Agent.NZ (ESET) W32/Autorun.worm!p (McAfee)
Summary
Worm:Win32/Viking.NA is a worm that spreads via removable drives and network shares. It can terminate security-related processes, relocate certain Windows files, drop other malware, modify the HOSTS file and Internet files, infect certain files, and connect to a remote server.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
- Ensure that an antivirus product is installed on ALL machines connected to the network that can access or host shares (see above for further detail).
- Ensure that all available network shares are scanned with an up-to-date antivirus product.
- Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
- Remove any unnecessary network shares or mapped drives.
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
Other recovery instructions
This threat may make lasting changes to an affected system’s configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following article/s:
- Stopping and starting Windows services: http://technet.microsoft.com/en-us/library/cc736564.aspx
- Start the following services, if present in your system:
- Correctly disabling Autorun in Windows: http://support.microsoft.com/kb/953252
- For other support and help related articles, go to:
- Windows Vista: http://support.microsoft.com/ph/11732#tab0
- Windows XP: http://support.microsoft.com/ph/1173#tab0
- Microsoft Security TechNet Center: http://technet.microsoft.com/security/default.aspx
360Safe.exe
360tray.exe
CCENTER.EXE
egui.exe
EHttpSrv.exe
ekrn.exe
essact.exe
Iparmor.exe
kaccore.exe
kavstart.exe
kissvc.exe
kpfwsvc.exe
kwatch.exe
ntsd.exe
RAVMON.EXE
Ravmond.exe
RavStub.exe
ravtask.exe
RAVTIMER.EXE
rfwmain.exe
rfwsrv.exe
rsagent.exe
rsmain.exe
rsnetsvr.exe
rstray.exe
safeboxTray.exe
scanfrm.exe
360tray.exe
CCENTER.EXE
egui.exe
EHttpSrv.exe
ekrn.exe
essact.exe
Iparmor.exe
kaccore.exe
kavstart.exe
kissvc.exe
kpfwsvc.exe
kwatch.exe
ntsd.exe
RAVMON.EXE
Ravmond.exe
RavStub.exe
ravtask.exe
RAVTIMER.EXE
rfwmain.exe
rfwsrv.exe
rsagent.exe
rsmain.exe
rsnetsvr.exe
rstray.exe
safeboxTray.exe
scanfrm.exe
- This threat may also reset your HOSTS file to its default content. If you had added entries to your HOSTS file prior to the detection of this malware, those entries may have been removed. You will have to manually add the entries to your HOSTS file again.
Follow us
