Virus:Worm/Torvil.D
Date discovered:22/10/2003
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:62.464 Bytes
MD5 checksum:bd258aa0499a9843a3800C3c61e186b7
VDF version:6.22.00.13

 General Methods of propagation:
   • Email
   • Local network


Alias:
   •  Symantec: W32.HLLW.Torvel.B@mm
   •  Mcafee: W32/Torvil@MM
   •  Kaspersky: Email-Worm.Win32.Torvil.d
   •  TrendMicro: WORM_TORVIL.C
   •  Grisoft: I-Worm/Torvil.B
   •  VirusBuster: I-Worm.Torvil.C
   •  Eset: Win32/Torvil.A
   •  Bitdefender: Win32.Torvil.B@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops a malicious file
   • Uses its own Email engine
   • Registry modification
   • Steals information


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %WINDIR%\SMSS%two-digit random character string%.exe
   • %WINDIR%\spool%two-digit random character string%.exe
   • %WINDIR%\svchost.exe


Encryption:
It creates a new file which is an encrypted copy of the found file.

The processed file is the following:
   • %WINDIR%\message.dat



The following files are created:

%WINDIR%\share.dat
%WINDIR%\message.htm Further investigation pointed out that this file is malware, too. Detected as: JS/Mimail.B

 Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\TORVIL
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=%WINDIR%\SMSS%random character string%.exe -xStartOurNiceServicesYes
   • "DisplayName"="System Registry Service"
   • "ObjectName"="LocalSystem"
   • "Description"=Provides Local Access to the Registry

– HKLM\SYSTEM\CurrentControlSet\Services\TORVIL
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=%WINDIR%\spool%random character string%.exe -xStartOurNiceServicesYes
   • "DisplayName"="System Registry Service"
   • "ObjectName"="LocalSystem"
   • "Description"=Provides Local Access to the Registry



The following registry key is added:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   OneLevelDeeper\TorvilDB
   • "TORVIL"="spool%two-digit random character string%.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   OneLevelDeeper\TorvilDB
   • "TORVIL"="SMSS%two-digit random character string%.exe"



The following registry keys are changed:

– HKCR\exefile\shell\open\command
   Old value:
   • @="\"%1\" %*"
   New value:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\cmdfile\shell\open\command
   Old value:
   • @="\"%1\" %*"
   New value:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\batfile\shell\open\command
   Old value:
   • @="\"%1\" %*"
   New value:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\comfile\shell\open\command
   Old value:
   • @="\"%1\" %*"
   New value:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\piffile\shell\open\command
   Old value:
   • @="\"%1\" %*"
   New value:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\scrfile\shell\open\command
   Old value:
   • @="\"%1\" %*"
   New value:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

Disable Regedit and Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   Old value:
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableRegistryTools"=dword:00000001

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe spool%two-digit random character string%.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   Old value:
   • "ShowSuperHidden"=%user defined settings%
   New value:
   • "ShowSuperHidden"=dword:00000000

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe SMSS%two-digit random character string%.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Gathered addesses by contacting search engines


Subject:
One of the following:
   • Your Account at Info@%replacement 1% has expired.
   • %replacement 2%Who should read this bulletin: Users running Microsoft Windows

The subject of the email is constructed out of the following:

    Sometimes it starts with one of the following:
   • Hello,
   • Re:
   • Fw:

    Sometimes continued by one of the following:
   • %username from receiver's email address%

    Continued by one of the following:
   • congratulations!
   • darling
   • Do not release, its the internal rls!
   • Documents
   • Pr0n!
   • Undeliverable mail--
   • Returned mail--
   • here's a nice Picture
   • New Internal Rls...
   • here's the document
   • here's the document you requested
   • here's the archive you requested


Body:
The body of the email is one of the lines:
   • See the attached file for details.
   • I have a document attached,which should solve your problems.
   • The release file is attached...
   • Send me your comments.
   • iTs cOnFiDeNtIaL =)
   • Here's the document that you had requested.
   • That's the answer to all your questions.
   • Have a look at the attatchment.
The body of the email is one of the following:

   • Real outtakes from Sex in the City!!
     Adult content!!! Use with parental advisory =)

   • Have a look the Pic attached !!
     dOnT gIvE iT aWaY...

   • Hello %username from receiver's email address%
     We are sorry that we cannot offer our old service anymore.
     Your account will expire at the 2003-11-23.
     But after all, we still offer a free-mail service, which you have to join right now !!!
     
     Our new prices and services are described in the attached html file,which is a compressed ZIP archive.
     
     Sicerely Yours
     The %replacement 1% Team

   • Hello,
     
     You should apply this fix which solves the newest
     Internet Explorer Vulnerability described in MS05-023.
     It is important that you apply this fix now since
     we estimate the Buffer Overflow is at a Critical Level.
     Sincerely Yours The Microsoft Security Team
     2003 Microsoft Corporation. All rights reserved.


%replacement 1% is expanded to one of the following:
   • alt.destroy.microsoft; alt.news.microsoft;
      microsoft.public.win32.programmer.gdi; alpha.webusenet.com;
      baldrick.blic.net; baracka.rz.uni-augsburg.de; bbsnews.ndhu.edu.tw;
      beech.fernuni-hagen.de; bias.ipc.uni-tuebingen.de;
      bossix.informatik.uni-kiel.de; butthead.cybertrails.com;
      cabale.usenet-fr.net; ccnews.thu.edu.tw; cdr.nord.net;
      corp.newsgroups.com; corp-binaries.newsgroups.com; davide.msoft.it;
      demonews.mindspring.com; dogwood.fernuni-hagen.de;
      dp-news.maxwell.syr.edu; etel.ru; forums.novell.com;
      freebsd.csie.nctu.edu.tw; frmug.org; ftp.tomica.ru; globo.edinfor.pt;
      grapevine.lcs.mit.edu; grieg.uol.com.br; htsrv.attack.ru;
      hub1.meganetnews.com; info.rgv.net; info.tsu.ru; info4.uni-rostock.de;
      infosun2.rus.uni-stuttgart.de; inx3.inx.net; isgnt5.netnow.net;
      lord.usenet-edu.net; msnews.microsoft.com; natasha.ncag.edu;
      netnews.de; news.abcs.com; news.ajou.ac.kr; news.aktrad.ru;
      news.aoc.gov; news.avcinc.com; news.avicenna.com; news.beta.kz;
      news.bsi.net.pl; news.caiwireless2.com; news.caravan.ru;
      news.caribsurf.com; news.cat.net.th; news.cdpa.nsysu.edu.tw;
      news.cell.ru; news.cofc.edu; news.coli.uni-sb.de; news.com2com.ru;
      news.comtel.ru; news.corvis.ru; news.cs.nthu.edu.tw;
      news.cs.tu-berlin.de; news.datast.net; news.deakin.edu.au;
      news.detnet.com; news.discom.net; news.dma.be; news.dna.affrc.go.jp;
      news.dsuper.net; news.emn.fr; news.enet.ru; news.freenet.de;
      news.fwi.com; news.fxalert.com; news.gamma.ru; news.gcip.net;
      news.gdbnet.ad.jp; news.globalpac.com; news.hanyang.ac.kr;
      news.htwm.de; news.ind.mh.se; news.inet.gr;
      news.informatik.uni-bremen.de; news.infotecs.ru; news.intel.com;
      news.invarnet.inwar.com.pl; news.isu.edu.tw; news.itcanada.com;
      news.jerseycape.net; news.kiev.sovam.com; news.konkuk.ac.kr;
      news.krs.ru; news.leivo.ru; news.lit.ru; news.louisa.net;
      news.lsumc.edu; news.lucky.net; news.man.torun.pl;
      news.math.cinvestav.mx; news.matnet.com; news.maxnet.ru;
      news.mc.ntu.edu.tw; news.mindvision.com.au; news.ncue.edu.tw;
      news.netcarrier.com; news.netdor.com; news.nchu.edu.tw;
      news.nsysu.edu.tw; news.odata.se; news.online.de;
      news.phoenixsoftware.com; news.portal.ru; news.primacom.net;
      news.ramlink.net; news.read.kpnqwest.net; news.readfreenews.net;
      news.reference.com; news.ripco.com; news.ruhr-uni-bochum.de;
      news.savvis.net; news.sexzilla.com; news.solaris.ru;
      news.spiceroad.ne.jp; news.srv.cquest.utoronto.ca; news.sti.com.br;
      news.tehnicom.net; news.teleglobe.net; news.telepassport.de;
      news.terra-link.com; news.tln.lib.mi.us; news.tohgoku.or.jp;
      news.triax.com; news.ttnet.net.tr; news.tu-ilmenau.de; news.udel.edu;
      news.uncensored-news.com; news.uni-duisburg.de; news.uni-erlangen.de;
      news.uni-hohenheim.de; news.uni-mannheim.de; news.uni-rostock.de;
      news.uni-stuttgart.de; news.unitel.co.kr; news.univ-nantes.fr;
      news.utb.edu; news01.uni-trier.de; news1.sinica.edu.tw;
      news2.new-york.net; news4.euro.net; news4.odn.ne.jp;
      news4.uncensored-news.com; news-archive2.icm.edu.pl;
      newscache0.freenet.de; newscache1.freenet.de; newscache2.freenet.de;
      newscache3.freenet.de; newscache4.freenet.de; newscache5.freenet.de;
      pubnews.gradwell.net; regulus.its.deakin.edu.au; service.symantec.com;
      snews.apol.com.tw; supern2.lnk.telstra.net; tabloid.uwaterloo.ca;
      www.usenet.pl


%replacement 2% is expanded to one of the following:
   • Hello,
   • Re:
   • Fw:


Attachment:
The filename of the attachment is one of the following:
   • yourwin.bat
   • probsolv.doc.pif
   • flt-xb5.rar.pif
   • document.doc.pif
   • sexinthecity.scr
   • torvil.pif
   • win$hitrulez.pif
   • sexy.jpg
   • flt-ixb23.zip
   • readit.doc.pif
   • document1.doc.pif
   • attachment.zip
   • message.zip
   • Q723523_W9X_WXP_x86_EN.exe

The attachment is a copy of the malware itself.



The email may look like one of the following:



 Mailing Search addresses:
It searches the following files for email addresses:
   • INBOX; ABD; DAT; DBX; DOC; DOT; EML; HTM; HTML; MAI; MBX; MHT; MMF;
      NCH; ODS; PHP; PST; RTF; TBB; WAB


Search Engine:
In order to gather more email addresses it contacts the following search engine:
   • http://www.google.de



Resolving server names:
If the request using the standard DNS fails it continues with the following
It has the ability to contact the following DNS servers:
   • 152.163.159.232
   • 193.189.233.45
   • 149.174.211.8
   • 193.189.231.2
   • 64.12.51.132
   • 216.109.116.17

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


   It retrieves shared folders by querying the following registry keys:
   • Software\Xolox
   • Software\Kazaa\LocalContent

   If successful, the following files are created:
   • NetObjects Fusion v7.5; Macromedia Studio MX 2004 AllApps; BearShare
      Pro 4.3.0; Borland C++ BuilderX 1.0 Enterprise Edition; Microsoft
      Office System Professional V2003; Halo; Half Life 2; Half Life 2 beta
      patch2; Nero Burning ROM v6.0.0.19 Ultra Edition; TVTool v8.31; NHL
      2004; Norton SystemWorks 2004; McAfee Personal Firewall Plus 2004;
      iMesh 4.2 Ad Remover; Norton AntiVirus 2004; Norton Antispam 2004;
      Sophos AntiVirus v3.74; Macromedia Contribute 2; McAfee VirusScan Home
      Edition 2004; McAfee SpamKiller 2004; Dragon NaturallySpeaking 8 ISO
      Multilanguage

   These files are copies of the malware itself.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • print$
   • admin$
   • c$
   • d$


It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • windows; win98; win95; winnt; winxp; 23523; 654321; 54321; KKKKKKK;
      5201314; zxcv; yxcv; xxx; test; pwd; temp; pass; passwd; password;
      sql; database; admin; root; secret; oracle; sybase; server; computer;
      Internet; super; user; manager; mypass; mypc; security; public;
      private; login; love; default; enable; god; guest; home; qwer; qwe;
      abcd; abc; asdf; asdfgh; alpha; !@; $; !@; $%; !@; $%^; !@; $%^&; !@;
      $%^&; !@; $%^&(; !@; $%^&()


 Process termination List of processes that are terminated:
   • _AVP32; _AVPCC; _AVPM; ACKWIN32; ADVXDWIN; AGENTW; ALERTSVC; ALOGSERV;
      AMON9X; ANTI-TROJAN; ANTIVIR; ANTS; APVXDWIN; ATCON; ATRACK;
      ATUPDATER; ATWATCH; AUTODOWN; AUTO-PROTECT; AUTOTRACE; AVCONSOL;
      AVE32; AVGCC32; AVGCTRL; AVGSERV; AVGSERV9; AVGW; AVKPOP; AVKSERV;
      AVKSERVICE; AVKWCTL9; AVP; AVP32; AVPM; AVPTC; AVPUPD; AVSCHED32;
      AVSYNMGR; AVWIN95; AVWINNT; AVXMONITOR9X; AVXMONITORNT; AVXQUAR; AVXW;
      BLACKD; BLACKICE; CCEVTMGR; CCPWDSVC; CCSETMGR; CDP; CFGWIZ; CFINET;
      CLAW95; CLAW95CF; CLEANER; CLEANER3; CMGRDIAN; CONNECTIONMONITOR; CPD;
      CPDClNT; CTRL; DEFALERT; DEFSCANGUI; DEFWATCH; DOORS; DVP95; DVP95_0;
      EFPEADM; ETRUSTCIPE; EVPN; EXPERT; F-AGNT95; FAMEH32; FCH32; FIH32;
      FIREWAL; FNRB32; F-PROT; F-PROT95; FP-WIN; FRW; FSAA; FSAV32; FSGK32;
      FSM32; FSMA32; FSMB32; F-STOPW; GBMENU; GBPOLL; GENERICS; GUARD;
      GUARDDOG; IAMAPP; IAMSERV; IAMSTATS; ICLOAD95; ICLOADNT; ICMON;
      ICSUPP95; ICSUPPNT; IFACE; IOMON98; ISRV95; JEDI; LDNETMON; LDPROMENU;
      LDSCAN; LOCKDOWN; LOCKDOWN2000; LUALL; LUCOM; LUSPT; MCAGENT;
      MCMNHDLR; MCSHIELD; MCTOOL; MCUPDATE; MCVSRTE; MCVSSHLD; MGAVRTCL;
      MGAVRTE; MGHTML; MINILOG; MONITOR; MOOLIVE; MPFAGENT; MPFSERVICE;
      MPFTRAY; MWATCH; N32SCANW; NAV; NAVAP; NAVAPSVC; NAVAPW32;
      NAVENGNAVEX15; NAVLU32; NAVRUNR; NAVW32; NAVWNT; NDD32; NEOWATCHLOG;
      NETUTILS; NISSERV; NISUM; NMAIN; NOD32; NORMIST; NOTSTART; NPROTECT;
      NPSCHECK; NPSSVC; NRESQ32; NSCHED32; NSCHEDNT; NSPLUGIN; NTRTSCAN;
      NTVDM; NTXcONFIG; Nui; NUPGRADE; NVC95; NVSVC32; NWSERVICE; NWTOOL16;
      PADMIN; PAVPROXY; PCCIOMON; PCCMAIN; PCCNTMON; PCCWIN97; PCCWIN98;
      PCFWALLICON; PCSCAN; PERSFW; PERSWF; POP3TRAP; POPROXY; PORTMONITOR;
      PROCESSMONITOR; PROGRAMAUDITOR; PVIEW95; RAPAPP; RAV7; RAV7WIN;
      REALMON; RESCUE; RTVSCN95; RULAUNCH; SAFEWEB; SAVSCAN; SBSERV; SCAN32;
      SCRSCAN; SMC; SPHINX; SPYXX; SS3EDIT; SWEEP95; SWEEPNET; SWEEPSRV;
      SWNETSUP; SymProxySvc; SYMTRAY; TAUMON; TCA; TCM; TDS2-98; TDS2-NT;
      TDS-3; TFAK; TMNTSRV; VBCMSERV; VBCONS; VET32; VET95; VETTRAY;
      VIR-HELP; VPC32; VPTRAY; VSCHED; VSECOMR; VSHWIN32; VSMAIN; VSMON;
      VSSTAT; WATCHDOG; WEBSCANX; WEBTRAP; WGFE95; WIMMUN32; WRADMINWRCTRL;
      WRCTRL; ZAPRO; ZONEALARM


 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • The Bat!
   • Outlook Express
   • ICQ

 Miscellaneous Mutex:
It creates the following Mutex:
   • TORVIL

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Irina Boldea on Friday, May 19, 2006
Description updated by Irina Boldea on Wednesday, May 31, 2006

Back . . . .