Torvil.B

The Torvil worm was programmed in Delphi and packed with ASPack.

System installation.

The worm copies itself to different locations depending on internal variables. Possible locations are:

%WinDir%\spool[variable string].exe %WinDir%\SMSS[variable string].exe %WinDir%\svchost.exe

It will create the following entry in the Windows' registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host]

which will point to one of the two first files given in the previous list (whichever happens to be created by the worm).

And will modify the entry (if existing):

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]

To reference the worm's executable (the same as in the previous registry key).

It will store a database with its own settings at:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\OneLevelDeeper\TorvilDB]

Mass-mailing

When composing email, this worm will choose message subjects from the list:

congratulations! darling Do not release, its the internal rls! Documents Pr0n! Undeliverable mail-- Returned mail-- heres a nice Picture New Internal Rls... heres the document heres the document you requested heres the archive you requested

It will use attachment file names from the list:

yourwin.bat probsolv.doc.pif flt-xb5.rar.pif document.doc.pif sexinthecity.scr torvil.pif win$hitrulez.pif sexy.jpg flt-ixb23.zip readit.doc.pif document1.doc.pif attachment.zip

And will select one of the following bodies:

See the attached file for details. I have a document attached, The release file is attached... Send me your comments. Real outtakes from Sex in the City!! Have a look the Pic attached !! dOnT gIvE iT aWaY... Heres the document that you had requested. Thats the answer to all your questions. Have a look at the attatchment.

The worm will also send messages pretending they had been sent by Microsoft. Those messages will refer to patches or security fixes and will have a content similar to:

Body:

Who should read this bulletin: Users running Microsoft Windows All Products | All Updates | Support | Search | microsoft.com Hello, You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023. It is important that you apply this fix now since we estimate the Buffer Overflow is at a Critical Level. Sincerely Yours The Microsoft Security Team e 2003 Microsoft Corporation. All rights reserved.

The attachment name will be:

Q723523_W9X_WXP_x86_EN.exe

other messages composed by the worm may have the following appearance:

Subject:

Your account at [variable name] has expired.

Body:

Hello We are sorry that we cannot offer our "old" service anymore. Your account will expire at the 2003-11-23. But after all, we still offer a freemail service, which you have to join[link] right now !!! Our new prices and services are described in the attached html file, which is a compressed ZIP archive. Sicerely Yours,

Attachment name:

message.zip

Spreading in IRC

The worm will attempt to send itself to other users on the IRC channels.

Spreading in Local Network

When trying to gain access to computers in the local network the worm will use passwords form the list:

23523 654321 54321 KKKKKKK 5201314 zxcv yxcv xxx xp test pw pwd temp pass passwd password sql database admin root secret oracle sybase server computer Internet super user manager mypass mypc security public private login love default enable god guest home qwer qwe abcd abc asdf asdfgh alpha !@#$ !@#$% !@#$%^ !@#$%^& !@#$%^&* !@#$%^&*( !@#$%^&*()

Newsgroups

It will contact news servers from the list:

alpha.webusenet.com baldrick.blic.net baracka.rz.uni-augsburg.de bbsnews.ndhu.edu.tw beech.fernuni-hagen.de bias.ipc.uni-tuebingen.de bossix.informatik.uni-kiel.de butthead.cybertrails.com cabale.usenet-fr.net ccnews.thu.edu.tw cdr.nord.net corp.newsgroups.com corp-binaries.newsgroups.com davide.msoft.it demonews.mindspring.com dogwood.fernuni-hagen.de dp-news.maxwell.syr.edu etel.ru forums.novell.com freebsd.csie.nctu.edu.tw frmug.org ftp.tomica.ru globo.edinfor.pt grapevine.lcs.mit.edu grieg.uol.com.br htsrv.attack.ru hub1.meganetnews.com info.rgv.net info.tsu.ru info4.uni-rostock.de infosun2.rus.uni-stuttgart.de inx3.inx.net isgnt5.netnow.net lord.usenet-edu.net msnews.microsoft.com natasha.ncag.edu netnews.de news.abcs.com news.ajou.ac.kr news.aktrad.ru news.aoc.gov news.avcinc.com news.avicenna.com news.beta.kz news.bsi.net.pl news.caiwireless2.com news.caravan.ru news.caribsurf.com news.cat.net.th news.cdpa.nsysu.edu.tw news.cell.ru news.cofc.edu news.coli.uni-sb.de news.com2com.ru news.comtel.ru news.corvis.ru news.cs.nthu.edu.tw news.cs.tu-berlin.de news.datast.net news.deakin.edu.au news.detnet.com news.discom.net news.dma.be news.dna.affrc.go.jp news.dsuper.net news.emn.fr news.enet.ru news.freenet.de news.fwi.com news.fxalert.com news.gamma.ru news.gcip.net news.gdbnet.ad.jp news.globalpac.com news.hanyang.ac.kr news.htwm.de news.ind.mh.se news.inet.gr news.informatik.uni-bremen.de news.infotecs.ru news.intel.com news.invarnet.inwar.com.pl news.isu.edu.tw news.itcanada.com news.jerseycape.net news.kiev.sovam.com news.konkuk.ac.kr news.krs.ru news.leivo.ru news.lit.ru news.louisa.net news.lsumc.edu news.lucky.net news.man.torun.pl news.math.cinvestav.mx news.matnet.com news.maxnet.ru news.mc.ntu.edu.tw news.mindvision.com.au news.ncue.edu.tw news.netcarrier.com news.netdor.com news.nchu.edu.tw news.nsysu.edu.tw news.odata.se news.online.de news.phoenixsoftware.com news.portal.ru news.primacom.net news.ramlink.net news.read.kpnqwest.net news.readfreenews.net news.reference.com news.ripco.com news.ruhr-uni-bochum.de news.savvis.net news.sexzilla.com news.solaris.ru news.spiceroad.ne.jp news.srv.cquest.utoronto.ca news.sti.com.br news.tehnicom.net news.teleglobe.net news.telepassport.de news.terra-link.com news.tln.lib.mi.us news.tohgoku.or.jp news.triax.com news.ttnet.net.tr news.tu-ilmenau.de news.udel.edu news.uncensored-news.com news.uni-duisburg.de news.uni-erlangen.de news.uni-hohenheim.de news.uni-mannheim.de news.uni-rostock.de news.uni-stuttgart.de news.unitel.co.kr news.univ-nantes.fr news.utb.edu news01.uni-trier.de news1.sinica.edu.tw news2.new-york.net news4.euro.net news4.odn.ne.jp news4.uncensored-news.com news-archive2.icm.edu.pl newscache0.freenet.de newscache1.freenet.de newscache2.freenet.de newscache3.freenet.de newscache4.freenet.de newscache5.freenet.de pubnews.gradwell.net regulus.its.deakin.edu.au service.symantec.com snews.apol.com.tw supern2.lnk.telstra.net tabloid.uwaterloo.ca www.usenet.pl

P2P spreading

Torvil also copies itself to shared folders of popular the P2P clients Xolox, Kazaa and eDonkey.

When spreading through P2P software, it will copy itself to the folders of P2P applications under the names of popular software form the following list:

NetObjects Fusion v7.5 Macromedia Studio MX 2004 AllApps BearShare Pro 4.3.0 Borland C++ BuilderX 1.0 Enterprise Edition Microsoft Office System Professional V2003 Halo FLT Nero Burning ROM v6.0.0.19 Ultra Edition TVTool v8.31 NHL 2004 Norton SystemWorks 2004 McAfee Personal Firewall Plus 2004 iMesh 4.2 Ad Remover Norton AntiVirus 2004 Norton Antispam 2004 Sophos AntiVirus v3.74 Macromedia Contribute 2 McAfee VirusScan Home Edition 2004 McAfee SpamKiller 2004