Once an infected file is executed, Viking.H will drop the following files in the Windows directory:
- Logo1_.exe - Infector
- vDll.dll - Downloader
The .DLL component is injected into IEXPLORE.EXE.
Viking.H adds the following registry entry as a part of its installation:
auto = "1"
It creates the following text files where it writes some information related to its activities:
Viking.H is a prepending virus that searches for files starting from fixed drives from the Z: to C: drives.
It infects files with the following extension:
It avoids infecting files with the following strings in its path or filename:
- \Program Files\
- Common Files
- ComPlus Applications
- Documents and Settings
- InstallShield Installation Information
- Internet Explorer
- Microsoft Frontpage
- Microsoft Office
- Movie Maker
- MSN Gaming Zone
- Outlook Express
- System Volume Information
- Windows Media Player
- Windows NT
In order for the host file to execute, Viking.H creates a backup copy of the itself in the current directory as [filename].exe.exe and then drops and executes the original uninfected host file as
[filename].exe. After which, it will now delete the uninfected host file and renames the backup file to the original filename. Viking.H is able to do this with the help of a temporary batch file created in the temporary folder as $$.bat.
Viking.H sends the message "Hello, World" to the following IP address via Internet Control Message Protocol (ICMP) :
It also attempts to propagate via network shares by copying itself to the following shared folders:
- with the following accounts:
It stops the following service:
- "Kingsoft AntiVirus Service"
It terminates the following processes that are often related to Anti-virus products:
Viking.H attempts to download and execute files from the following site:
Note: This site is already down.