Worm:Win32/Viking (also known as HLLP.Viking) is a classic, destructive network worm and file infector notorious for rapidly propagating across local networks, corrupting executable files, and causing severe system instability.
What is Viking?
For general users, a Viking infection causes significant disruption, often resulting in widespread application crashes and the inability to launch legitimate software. For incident responders, it represents a noisy, aggressive propagation threat. Viking is a true virus/worm hybrid; it seeks to infect every .exe file it can access while simultaneously attempting to copy itself to all reachable network shares.
Infection Vectors & Threat Hunting
Viking primarily spreads by users executing an already infected file or via open SMB network shares. Upon execution, the virus becomes memory-resident. It immediately drops a hidden executable (often named rundl132.exe or similar deceptive names) into the Windows directory and establishes persistence via the Registry Run keys. It then aggressively scans all local drives, targeting executable files. Viking appends its viral body to the legitimate file and modifies the entry point. Crucially, Viking often drops additional payloads, such as backdoors or generic trojan downloaders, to further compromise the host.
Forensic Analysis & Impact
The impact is widespread file corruption and massive operational disruption. EDR platforms frequently trigger a flood of alerts for 'Suspicious File Modification' or 'Executable Entry Point Altered' as Viking rapidly rewrites thousands of files. Incident responders will notice legitimate applications suddenly increasing in size. Network logs will show aggressive SMB scanning (port 445) as the worm attempts lateral movement.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1091 | Replication Through Removable Media | Lateral Movement |
T1055.001 | Process Injection: Dynamic-link Library Injection | Defense Evasion |
T1485 | Data Destruction | Impact |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence |
T1105 | Ingress Tool Transfer | Command and Control |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_VIKING {
meta:
description = "Detects Viking (file_infector)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "viking" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Viking Activity
id: a4dede7fccd54a3e8a56ad51ac64e94f
status: experimental
description: Detects generic indicators of the viking malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*viking*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/viking.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.