The Torvil worm was programmed in Delphi and packed with ASPack.
System installation.
The worm copies itself to different locations depending on internal variables. Possible locations are:
%WinDir%\spool[variable string].exe
%WinDir%\SMSS[variable string].exe
%WinDir%\svchost.exe
It will create the following entry in the Windows' registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host]
which will point to one of the two first files given in the previous list (whichever happens to be created by the worm).
And will modify the entry (if existing):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
To reference the worm's executable (the same as in the previous registry key).
It will store a database with its own settings at:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\OneLevelDeeper\TorvilDB]
Mass-mailing
When composing email, this worm will choose message subjects from the list:
congratulations!
darling
Do not release, its the internal rls!
Documents
Pr0n!
Undeliverable mail--
Returned mail--
here´s a nice Picture
New Internal Rls...
here´s the document
here´s the document you requested
here´s the archive you requested
It will use attachment file names from the list:
yourwin.bat
probsolv.doc.pif
flt-xb5.rar.pif
document.doc.pif
sexinthecity.scr
torvil.pif
win$hitrulez.pif
sexy.jpg
flt-ixb23.zip
readit.doc.pif
document1.doc.pif
attachment.zip
And will select one of the following bodies:
See the attached file for details.
I have a document attached,
The release file is attached...
Send me your comments.
Real outtakes from Sex in the City!!
Have a look the Pic attached !!
dOnT gIvE iT aWaY...
Here´s the document that you had requested.
That´s the answer to all your questions.
Have a look at the attatchment.
The worm will also send messages pretending they had been sent by Microsoft. Those messages will refer to patches or security fixes and will have a content similar to:
Body:
Who should read this bulletin: Users running Microsoft ® Windows ®
All Products | All Updates | Support | Search | microsoft.com
Hello,
You should apply this fix which solves the newest
Internet Explorer Vulnerability described in MS05-023.
It is important that you apply this fix now since
we estimate the Buffer Overflow is at a Critical Level.
Sincerely Yours The Microsoft Security Team
e 2003 Microsoft Corporation. All rights reserved.
The attachment name will be:
Q723523_W9X_WXP_x86_EN.exe
other messages composed by the worm may have the following appearance:
Subject:
Your account at [variable name] has expired.
Body:
Hello
We are sorry that we cannot offer our "old" service
anymore.
Your account will expire at the 2003-11-23.
But after all, we still offer a freemail service,
which you have to join[link] right now !!!
Our new prices and services are described in the attached html file,
which is a compressed ZIP archive.
Sicerely Yours,
Attachment name:
message.zip
Spreading in IRC
The worm will attempt to send itself to other users on the IRC channels.
Spreading in Local Network
When trying to gain access to computers in the local network the worm will use passwords form the list:
23523
654321
54321
KKKKKKK
5201314
zxcv
yxcv
xxx
xp
test
pw
pwd
temp
pass
passwd
password
sql
database
admin
root
secret
oracle
sybase
server
computer
Internet
super
user
manager
mypass
mypc
security
public
private
login
love
default
enable
god
guest
home
qwer
qwe
abcd
abc
asdf
asdfgh
alpha
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
Newsgroups
It will contact news servers from the list:
alpha.webusenet.com
baldrick.blic.net
baracka.rz.uni-augsburg.de
bbsnews.ndhu.edu.tw
beech.fernuni-hagen.de
bias.ipc.uni-tuebingen.de
bossix.informatik.uni-kiel.de
butthead.cybertrails.com
cabale.usenet-fr.net
ccnews.thu.edu.tw
cdr.nord.net
corp.newsgroups.com
corp-binaries.newsgroups.com
davide.msoft.it
demonews.mindspring.com
dogwood.fernuni-hagen.de
dp-news.maxwell.syr.edu
etel.ru
forums.novell.com
freebsd.csie.nctu.edu.tw
frmug.org
ftp.tomica.ru
globo.edinfor.pt
grapevine.lcs.mit.edu
grieg.uol.com.br
htsrv.attack.ru
hub1.meganetnews.com
info.rgv.net
info.tsu.ru
info4.uni-rostock.de
infosun2.rus.uni-stuttgart.de
inx3.inx.net
isgnt5.netnow.net
lord.usenet-edu.net
msnews.microsoft.com
natasha.ncag.edu
netnews.de
news.abcs.com
news.ajou.ac.kr
news.aktrad.ru
news.aoc.gov
news.avcinc.com
news.avicenna.com
news.beta.kz
news.bsi.net.pl
news.caiwireless2.com
news.caravan.ru
news.caribsurf.com
news.cat.net.th
news.cdpa.nsysu.edu.tw
news.cell.ru
news.cofc.edu
news.coli.uni-sb.de
news.com2com.ru
news.comtel.ru
news.corvis.ru
news.cs.nthu.edu.tw
news.cs.tu-berlin.de
news.datast.net
news.deakin.edu.au
news.detnet.com
news.discom.net
news.dma.be
news.dna.affrc.go.jp
news.dsuper.net
news.emn.fr
news.enet.ru
news.freenet.de
news.fwi.com
news.fxalert.com
news.gamma.ru
news.gcip.net
news.gdbnet.ad.jp
news.globalpac.com
news.hanyang.ac.kr
news.htwm.de
news.ind.mh.se
news.inet.gr
news.informatik.uni-bremen.de
news.infotecs.ru
news.intel.com
news.invarnet.inwar.com.pl
news.isu.edu.tw
news.itcanada.com
news.jerseycape.net
news.kiev.sovam.com
news.konkuk.ac.kr
news.krs.ru
news.leivo.ru
news.lit.ru
news.louisa.net
news.lsumc.edu
news.lucky.net
news.man.torun.pl
news.math.cinvestav.mx
news.matnet.com
news.maxnet.ru
news.mc.ntu.edu.tw
news.mindvision.com.au
news.ncue.edu.tw
news.netcarrier.com
news.netdor.com
news.nchu.edu.tw
news.nsysu.edu.tw
news.odata.se
news.online.de
news.phoenixsoftware.com
news.portal.ru
news.primacom.net
news.ramlink.net
news.read.kpnqwest.net
news.readfreenews.net
news.reference.com
news.ripco.com
news.ruhr-uni-bochum.de
news.savvis.net
news.sexzilla.com
news.solaris.ru
news.spiceroad.ne.jp
news.srv.cquest.utoronto.ca
news.sti.com.br
news.tehnicom.net
news.teleglobe.net
news.telepassport.de
news.terra-link.com
news.tln.lib.mi.us
news.tohgoku.or.jp
news.triax.com
news.ttnet.net.tr
news.tu-ilmenau.de
news.udel.edu
news.uncensored-news.com
news.uni-duisburg.de
news.uni-erlangen.de
news.uni-hohenheim.de
news.uni-mannheim.de
news.uni-rostock.de
news.uni-stuttgart.de
news.unitel.co.kr
news.univ-nantes.fr
news.utb.edu
news01.uni-trier.de
news1.sinica.edu.tw
news2.new-york.net
news4.euro.net
news4.odn.ne.jp
news4.uncensored-news.com
news-archive2.icm.edu.pl
newscache0.freenet.de
newscache1.freenet.de
newscache2.freenet.de
newscache3.freenet.de
newscache4.freenet.de
newscache5.freenet.de
pubnews.gradwell.net
regulus.its.deakin.edu.au
service.symantec.com
snews.apol.com.tw
supern2.lnk.telstra.net
tabloid.uwaterloo.ca
www.usenet.pl
P2P spreading
Torvil also copies itself to shared folders of popular the P2P clients Xolox, Kazaa and eDonkey.
When spreading through P2P software, it will copy itself to the folders of P2P applications under the names of popular software form the following list:
NetObjects Fusion v7.5
Macromedia Studio MX 2004 AllApps
BearShare Pro 4.3.0
Borland C++ BuilderX 1.0 Enterprise Edition
Microsoft Office System Professional V2003
Halo FLT
Nero Burning ROM v6.0.0.19 Ultra Edition
TVTool v8.31
NHL 2004
Norton SystemWorks 2004
McAfee Personal Firewall Plus 2004
iMesh 4.2 Ad Remover
Norton AntiVirus 2004
Norton Antispam 2004
Sophos AntiVirus v3.74
Macromedia Contribute 2
McAfee VirusScan Home Edition 2004
McAfee SpamKiller 2004