Nume:Worm/Torvil.D
Descoperit pe data de:22/10/2003
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut
Potential de raspandire:Mediu spre ridicat
Potential de distrugere:Mediu
Fisier static:Da
Marime:62.464 Bytes
MD5:bd258aa0499a9843a3800C3c61e186b7
Versiune VDF:6.22.00.13

 General Metode de raspandire:
   • Email
   • Reteaua locala


Alias:
   •  Symantec: W32.HLLW.Torvel.B@mm
   •  Mcafee: W32/Torvil@MM
   •  Kaspersky: Email-Worm.Win32.Torvil.d
   •  TrendMicro: WORM_TORVIL.C
   •  Grisoft: I-Worm/Torvil.B
   •  VirusBuster: I-Worm.Torvil.C
   •  Eset: Win32/Torvil.A
   •  Bitdefender: Win32.Torvil.B@mm


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza un fisier malware
   • Utilizeaza propriul motor de email
   • Modificari in registri
   • Sustrage informatii


Imediat dupa lansarea in executie, pe ecran este afisat:


 Fisiere Se copiaza in urmatoarele locatii:
   • %WINDIR%\SMSS%combinatie de doua caractere aleatoare%.exe
   • %WINDIR%\spool%combinatie de doua caractere aleatoare%.exe
   • %WINDIR%\svchost.exe


Criptare:
Creeaza un nou fisier, care contine o copie criptata a fisierului gasit.

Fisierul procesat este urmatorul:
   • %WINDIR%\message.dat



Sunt create fisierele:

– %WINDIR%\share.dat
– %WINDIR%\message.htm Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: JS/Mimail.B

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

– HKLM\SYSTEM\CurrentControlSet\Services\TORVIL
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=%WINDIR%\SMSS%combinatie de caractere aleatoare%.exe -xStartOurNiceServicesYes
   • "DisplayName"="System Registry Service"
   • "ObjectName"="LocalSystem"
   • "Description"=Provides Local Access to the Registry

– HKLM\SYSTEM\CurrentControlSet\Services\TORVIL
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=%WINDIR%\spool%combinatie de caractere aleatoare%.exe -xStartOurNiceServicesYes
   • "DisplayName"="System Registry Service"
   • "ObjectName"="LocalSystem"
   • "Description"=Provides Local Access to the Registry



Se adauga in registrii sistemului:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   OneLevelDeeper\TorvilDB
   • "TORVIL"="spool%combinatie de doua caractere aleatoare%.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   OneLevelDeeper\TorvilDB
   • "TORVIL"="SMSS%combinatie de doua caractere aleatoare%.exe"



Urmatoarele chei din registri sunt modificate:

– HKCR\exefile\shell\open\command
   Vechea valoare:
   • @="\"%1\" %*"
   Noua valoare:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\cmdfile\shell\open\command
   Vechea valoare:
   • @="\"%1\" %*"
   Noua valoare:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\batfile\shell\open\command
   Vechea valoare:
   • @="\"%1\" %*"
   Noua valoare:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\comfile\shell\open\command
   Vechea valoare:
   • @="\"%1\" %*"
   Noua valoare:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\piffile\shell\open\command
   Vechea valoare:
   • @="\"%1\" %*"
   Noua valoare:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

– HKCR\scrfile\shell\open\command
   Vechea valoare:
   • @="\"%1\" %*"
   Noua valoare:
   • @="%WINDIR%\svchost.exe \"%1\" %*"

Dezactivarea programelor Regedit si Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   Vechea valoare:
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Vechea valoare:
   • "Shell"="Explorer.exe"
   Noua valoare:
   • "Shell"="Explorer.exe spool%combinatie de doua caractere aleatoare%.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   Vechea valoare:
   • "ShowSuperHidden"=%setarile utilizatorului%
   Noua valoare:
   • "ShowSuperHidden"=dword:00000000

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Vechea valoare:
   • "Shell"="Explorer.exe"
   Noua valoare:
   • "Shell"="Explorer.exe SMSS%combinatie de doua caractere aleatoare%.exe"

 Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:
Foloseste Messaging Application Programming Interface (MAPI) pentru a trimite email-uri. Iata caracteristicile lui:


De la:
Adresa este falsificata.


Catre:
– Adrese de email gasite pe sistem.
– Adrese de email obtinute din WAB (Windows Address Book)
– Catre: adresele colectate prin motoare de cautare


Subiect:
Unul din urmatoarele:
   • Your Account at Info@%simbol 1% has expired.
   • %simbol 2%Who should read this bulletin: Users running Microsoft Windows

Subiectul mesajului se compune din:

    Uneori incepe cu:
   • Hello,
   • Re:
   • Fw:

    Urmata uneori de una din urmatoarele:
   • %nume utilizator al adresei destinatarului%

    Continuand cu una din urmatoarele:
   • congratulations!
   • darling
   • Do not release, its the internal rls!
   • Documents
   • Pr0n!
   • Undeliverable mail--
   • Returned mail--
   • here's a nice Picture
   • New Internal Rls...
   • here's the document
   • here's the document you requested
   • here's the archive you requested


Corpul email-ului:
Corpul email-ului este unul din textele:
   • See the attached file for details.
   • I have a document attached,which should solve your problems.
   • The release file is attached...
   • Send me your comments.
   • iTs cOnFiDeNtIaL =)
   • Here's the document that you had requested.
   • That's the answer to all your questions.
   • Have a look at the attatchment.
Corpul email-ului este unul din textele:

   • Real outtakes from Sex in the City!!
     Adult content!!! Use with parental advisory =)

   • Have a look the Pic attached !!
     dOnT gIvE iT aWaY...

   • Hello %nume utilizator al adresei destinatarului%
     We are sorry that we cannot offer our old service anymore.
     Your account will expire at the 2003-11-23.
     But after all, we still offer a free-mail service, which you have to join right now !!!
     
     Our new prices and services are described in the attached html file,which is a compressed ZIP archive.
     
     Sicerely Yours
     The %simbol 1% Team

   • Hello,
     
     You should apply this fix which solves the newest
     Internet Explorer Vulnerability described in MS05-023.
     It is important that you apply this fix now since
     we estimate the Buffer Overflow is at a Critical Level.
     Sincerely Yours The Microsoft Security Team
     2003 Microsoft Corporation. All rights reserved.


%simbol 1% este inlocuit cu unul din urmatoarele:
   • alt.destroy.microsoft; alt.news.microsoft;
      microsoft.public.win32.programmer.gdi; alpha.webusenet.com;
      baldrick.blic.net; baracka.rz.uni-augsburg.de; bbsnews.ndhu.edu.tw;
      beech.fernuni-hagen.de; bias.ipc.uni-tuebingen.de;
      bossix.informatik.uni-kiel.de; butthead.cybertrails.com;
      cabale.usenet-fr.net; ccnews.thu.edu.tw; cdr.nord.net;
      corp.newsgroups.com; corp-binaries.newsgroups.com; davide.msoft.it;
      demonews.mindspring.com; dogwood.fernuni-hagen.de;
      dp-news.maxwell.syr.edu; etel.ru; forums.novell.com;
      freebsd.csie.nctu.edu.tw; frmug.org; ftp.tomica.ru; globo.edinfor.pt;
      grapevine.lcs.mit.edu; grieg.uol.com.br; htsrv.attack.ru;
      hub1.meganetnews.com; info.rgv.net; info.tsu.ru; info4.uni-rostock.de;
      infosun2.rus.uni-stuttgart.de; inx3.inx.net; isgnt5.netnow.net;
      lord.usenet-edu.net; msnews.microsoft.com; natasha.ncag.edu;
      netnews.de; news.abcs.com; news.ajou.ac.kr; news.aktrad.ru;
      news.aoc.gov; news.avcinc.com; news.avicenna.com; news.beta.kz;
      news.bsi.net.pl; news.caiwireless2.com; news.caravan.ru;
      news.caribsurf.com; news.cat.net.th; news.cdpa.nsysu.edu.tw;
      news.cell.ru; news.cofc.edu; news.coli.uni-sb.de; news.com2com.ru;
      news.comtel.ru; news.corvis.ru; news.cs.nthu.edu.tw;
      news.cs.tu-berlin.de; news.datast.net; news.deakin.edu.au;
      news.detnet.com; news.discom.net; news.dma.be; news.dna.affrc.go.jp;
      news.dsuper.net; news.emn.fr; news.enet.ru; news.freenet.de;
      news.fwi.com; news.fxalert.com; news.gamma.ru; news.gcip.net;
      news.gdbnet.ad.jp; news.globalpac.com; news.hanyang.ac.kr;
      news.htwm.de; news.ind.mh.se; news.inet.gr;
      news.informatik.uni-bremen.de; news.infotecs.ru; news.intel.com;
      news.invarnet.inwar.com.pl; news.isu.edu.tw; news.itcanada.com;
      news.jerseycape.net; news.kiev.sovam.com; news.konkuk.ac.kr;
      news.krs.ru; news.leivo.ru; news.lit.ru; news.louisa.net;
      news.lsumc.edu; news.lucky.net; news.man.torun.pl;
      news.math.cinvestav.mx; news.matnet.com; news.maxnet.ru;
      news.mc.ntu.edu.tw; news.mindvision.com.au; news.ncue.edu.tw;
      news.netcarrier.com; news.netdor.com; news.nchu.edu.tw;
      news.nsysu.edu.tw; news.odata.se; news.online.de;
      news.phoenixsoftware.com; news.portal.ru; news.primacom.net;
      news.ramlink.net; news.read.kpnqwest.net; news.readfreenews.net;
      news.reference.com; news.ripco.com; news.ruhr-uni-bochum.de;
      news.savvis.net; news.sexzilla.com; news.solaris.ru;
      news.spiceroad.ne.jp; news.srv.cquest.utoronto.ca; news.sti.com.br;
      news.tehnicom.net; news.teleglobe.net; news.telepassport.de;
      news.terra-link.com; news.tln.lib.mi.us; news.tohgoku.or.jp;
      news.triax.com; news.ttnet.net.tr; news.tu-ilmenau.de; news.udel.edu;
      news.uncensored-news.com; news.uni-duisburg.de; news.uni-erlangen.de;
      news.uni-hohenheim.de; news.uni-mannheim.de; news.uni-rostock.de;
      news.uni-stuttgart.de; news.unitel.co.kr; news.univ-nantes.fr;
      news.utb.edu; news01.uni-trier.de; news1.sinica.edu.tw;
      news2.new-york.net; news4.euro.net; news4.odn.ne.jp;
      news4.uncensored-news.com; news-archive2.icm.edu.pl;
      newscache0.freenet.de; newscache1.freenet.de; newscache2.freenet.de;
      newscache3.freenet.de; newscache4.freenet.de; newscache5.freenet.de;
      pubnews.gradwell.net; regulus.its.deakin.edu.au; service.symantec.com;
      snews.apol.com.tw; supern2.lnk.telstra.net; tabloid.uwaterloo.ca;
      www.usenet.pl


%simbol 2% este inlocuit prin unul din urmatoarele:
   • Hello,
   • Re:
   • Fw:


Atasament:
Numele fisierului atasat este unul din urmatoarele:
   • yourwin.bat
   • probsolv.doc.pif
   • flt-xb5.rar.pif
   • document.doc.pif
   • sexinthecity.scr
   • torvil.pif
   • win$hitrulez.pif
   • sexy.jpg
   • flt-ixb23.zip
   • readit.doc.pif
   • document1.doc.pif
   • attachment.zip
   • message.zip
   • Q723523_W9X_WXP_x86_EN.exe

Atasamentul este o copie malware.



Email-ul poate arata ca unul din urmatoarele:



 Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • INBOX; ABD; DAT; DBX; DOC; DOT; EML; HTM; HTML; MAI; MBX; MHT; MMF;
      NCH; ODS; PHP; PST; RTF; TBB; WAB


Motor de cautare:
Pentru a colecta mai multe adrese de email, se conecteaza la motorul de cautare:
   • http://www.google.de



Rezolvarea adreselor internet:
Daca cererea folosind serverul DNS implicit esueaza, efectueaza urmatoarele
Se poate conecta la serverele DNS:
   • 152.163.159.232
   • 193.189.233.45
   • 149.174.211.8
   • 193.189.231.2
   • 64.12.51.132
   • 216.109.116.17

 P2P  Pentru a infecta alte sisteme din retele Peer-to-Peer, efectueaza urmatarele operatii:  


   Extrage fisierele partajate, folosind urmatoarele chei de registru:
   • Software\Xolox
   • Software\Kazaa\LocalContent

   Daca reuseste, sunt create urmatoarele fisiere:
   • NetObjects Fusion v7.5; Macromedia Studio MX 2004 AllApps; BearShare
      Pro 4.3.0; Borland C++ BuilderX 1.0 Enterprise Edition; Microsoft
      Office System Professional V2003; Halo; Half Life 2; Half Life 2 beta
      patch2; Nero Burning ROM v6.0.0.19 Ultra Edition; TVTool v8.31; NHL
      2004; Norton SystemWorks 2004; McAfee Personal Firewall Plus 2004;
      iMesh 4.2 Ad Remover; Norton AntiVirus 2004; Norton Antispam 2004;
      Sophos AntiVirus v3.74; Macromedia Contribute 2; McAfee VirusScan Home
      Edition 2004; McAfee SpamKiller 2004; Dragon NaturallySpeaking 8 ISO
      Multilanguage

   Aceste fişiere sunt copii ale malware-ului.

 Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:

Creeaza copii malware in urmatoarele share-uri de retea:
   • IPC$
   • print$
   • admin$
   • c$
   • d$


Foloseste urmatoarele date de logare, pentru a controla sistemul la distanta:

– Lista de utilizatori si parole:
   • windows; win98; win95; winnt; winxp; 23523; 654321; 54321; KKKKKKK;
      5201314; zxcv; yxcv; xxx; test; pwd; temp; pass; passwd; password;
      sql; database; admin; root; secret; oracle; sybase; server; computer;
      Internet; super; user; manager; mypass; mypc; security; public;
      private; login; love; default; enable; god; guest; home; qwer; qwe;
      abcd; abc; asdf; asdfgh; alpha; !@; $; !@; $%; !@; $%^; !@; $%^&; !@;
      $%^&; !@; $%^&(; !@; $%^&()


 Terminarea proceselor Lista cu procesele oprite:
   • _AVP32; _AVPCC; _AVPM; ACKWIN32; ADVXDWIN; AGENTW; ALERTSVC; ALOGSERV;
      AMON9X; ANTI-TROJAN; ANTIVIR; ANTS; APVXDWIN; ATCON; ATRACK;
      ATUPDATER; ATWATCH; AUTODOWN; AUTO-PROTECT; AUTOTRACE; AVCONSOL;
      AVE32; AVGCC32; AVGCTRL; AVGSERV; AVGSERV9; AVGW; AVKPOP; AVKSERV;
      AVKSERVICE; AVKWCTL9; AVP; AVP32; AVPM; AVPTC; AVPUPD; AVSCHED32;
      AVSYNMGR; AVWIN95; AVWINNT; AVXMONITOR9X; AVXMONITORNT; AVXQUAR; AVXW;
      BLACKD; BLACKICE; CCEVTMGR; CCPWDSVC; CCSETMGR; CDP; CFGWIZ; CFINET;
      CLAW95; CLAW95CF; CLEANER; CLEANER3; CMGRDIAN; CONNECTIONMONITOR; CPD;
      CPDClNT; CTRL; DEFALERT; DEFSCANGUI; DEFWATCH; DOORS; DVP95; DVP95_0;
      EFPEADM; ETRUSTCIPE; EVPN; EXPERT; F-AGNT95; FAMEH32; FCH32; FIH32;
      FIREWAL; FNRB32; F-PROT; F-PROT95; FP-WIN; FRW; FSAA; FSAV32; FSGK32;
      FSM32; FSMA32; FSMB32; F-STOPW; GBMENU; GBPOLL; GENERICS; GUARD;
      GUARDDOG; IAMAPP; IAMSERV; IAMSTATS; ICLOAD95; ICLOADNT; ICMON;
      ICSUPP95; ICSUPPNT; IFACE; IOMON98; ISRV95; JEDI; LDNETMON; LDPROMENU;
      LDSCAN; LOCKDOWN; LOCKDOWN2000; LUALL; LUCOM; LUSPT; MCAGENT;
      MCMNHDLR; MCSHIELD; MCTOOL; MCUPDATE; MCVSRTE; MCVSSHLD; MGAVRTCL;
      MGAVRTE; MGHTML; MINILOG; MONITOR; MOOLIVE; MPFAGENT; MPFSERVICE;
      MPFTRAY; MWATCH; N32SCANW; NAV; NAVAP; NAVAPSVC; NAVAPW32;
      NAVENGNAVEX15; NAVLU32; NAVRUNR; NAVW32; NAVWNT; NDD32; NEOWATCHLOG;
      NETUTILS; NISSERV; NISUM; NMAIN; NOD32; NORMIST; NOTSTART; NPROTECT;
      NPSCHECK; NPSSVC; NRESQ32; NSCHED32; NSCHEDNT; NSPLUGIN; NTRTSCAN;
      NTVDM; NTXcONFIG; Nui; NUPGRADE; NVC95; NVSVC32; NWSERVICE; NWTOOL16;
      PADMIN; PAVPROXY; PCCIOMON; PCCMAIN; PCCNTMON; PCCWIN97; PCCWIN98;
      PCFWALLICON; PCSCAN; PERSFW; PERSWF; POP3TRAP; POPROXY; PORTMONITOR;
      PROCESSMONITOR; PROGRAMAUDITOR; PVIEW95; RAPAPP; RAV7; RAV7WIN;
      REALMON; RESCUE; RTVSCN95; RULAUNCH; SAFEWEB; SAVSCAN; SBSERV; SCAN32;
      SCRSCAN; SMC; SPHINX; SPYXX; SS3EDIT; SWEEP95; SWEEPNET; SWEEPSRV;
      SWNETSUP; SymProxySvc; SYMTRAY; TAUMON; TCA; TCM; TDS2-98; TDS2-NT;
      TDS-3; TFAK; TMNTSRV; VBCMSERV; VBCONS; VET32; VET95; VETTRAY;
      VIR-HELP; VPC32; VPTRAY; VSCHED; VSECOMR; VSHWIN32; VSMAIN; VSMON;
      VSSTAT; WATCHDOG; WEBSCANX; WEBTRAP; WGFE95; WIMMUN32; WRADMINWRCTRL;
      WRCTRL; ZAPRO; ZONEALARM


 Furt de informatii Incearca sa obtina urmatoarele informatii:
– Parole stocate, folosite de functia AutoComplete
– Informatii despre contul de email, obtinute din cheia de registru: HKCU\SoftwareMicrosoft\Internet Account Manager\Accounts

– Parolele din urmatoarele programe:
   • The Bat!
   • Outlook Express
   • ICQ

 Alte informatii Mutex:
Creeaza urmatorul mutex:
   • TORVIL

 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: Delphi.


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Descrição enviada por Irina Boldea em sexta-feira, 19 de maio de 2006
Descrição atualizada por Irina Boldea em quarta-feira, 31 de maio de 2006

Voltar . . . .