Torvil.B

Classification

Malware

-

-

Torvil.B, Torvil, Torvil.B, Torvel

Summary

The Torvil worm packages a really broad set of features. It's capable of spreading though several different media like, P2P network, newsgroups, email, IRC and local networks.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The Torvil worm was programmed in Delphi and packed with ASPack.

System installation.

The worm copies itself to different locations depending on internal variables. Possible locations are:

%WinDir%\spool[variable string].exe
%WinDir%\SMSS[variable string].exe
%WinDir%\svchost.exe
 

It will create the following entry in the Windows' registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host]
 

which will point to one of the two first files given in the previous list (whichever happens to be created by the worm).

And will modify the entry (if existing):

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
 

To reference the worm's executable (the same as in the previous registry key).

It will store a database with its own settings at:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\OneLevelDeeper\TorvilDB]
 

Mass-mailing

When composing email, this worm will choose message subjects from the list:

congratulations!
darling
Do not release, its the internal rls!
Documents
Pr0n!
Undeliverable mail--
Returned mail--
here´s a nice Picture
New Internal Rls...
here´s the document
here´s the document you requested
here´s the archive you requested
 

It will use attachment file names from the list:

yourwin.bat
probsolv.doc.pif
flt-xb5.rar.pif
document.doc.pif
sexinthecity.scr
torvil.pif
win$hitrulez.pif
sexy.jpg
flt-ixb23.zip
readit.doc.pif
document1.doc.pif
attachment.zip
 

And will select one of the following bodies:

See the attached file for details.
I have a document attached,
The release file is attached...
Send me your comments.
Real outtakes from Sex in the City!!
Have a look the Pic attached !!
dOnT gIvE iT aWaY...
Here´s the document that you had requested.
That´s the answer to all your questions.
Have a look at the attatchment.
 

The worm will also send messages pretending they had been sent by Microsoft. Those messages will refer to patches or security fixes and will have a content similar to:

Body:

Who should read this bulletin: Users running Microsoft ® Windows ®
All Products | All Updates | Support | Search | microsoft.com

 Hello,

 You should apply this fix which solves the newest

 Internet Explorer Vulnerability described in MS05-023.

 It is important that you apply this fix now since

 we estimate the Buffer Overflow is at a Critical Level.

 Sincerely Yours The Microsoft Security Team
e 2003 Microsoft Corporation. All rights reserved.
 

The attachment name will be:

Q723523_W9X_WXP_x86_EN.exe
 

other messages composed by the worm may have the following appearance:

Subject:

Your account at [variable name] has expired.
 

Body:

Hello
We are sorry that we cannot offer our "old" service
anymore.
Your account will expire at the 2003-11-23.
But after all, we still offer a freemail service,
which you have to join[link] right now !!!
Our new prices and services are described in the attached html file,
which is a compressed ZIP archive.
Sicerely Yours,
 

Attachment name:

message.zip
 

Spreading in IRC

The worm will attempt to send itself to other users on the IRC channels.

Spreading in Local Network

When trying to gain access to computers in the local network the worm will use passwords form the list:

23523
654321
54321
KKKKKKK
5201314
zxcv
yxcv
xxx
xp
test
pw
pwd
temp
pass
passwd
password
sql
database
admin
root
secret
oracle
sybase
server
computer
Internet
super
user
manager
mypass
mypc
security
public
private
login
love
default
enable
god
guest
home
qwer
qwe
abcd
abc
asdf
asdfgh
alpha
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
 

Newsgroups

It will contact news servers from the list:

alpha.webusenet.com
baldrick.blic.net
baracka.rz.uni-augsburg.de
bbsnews.ndhu.edu.tw
beech.fernuni-hagen.de
bias.ipc.uni-tuebingen.de
bossix.informatik.uni-kiel.de
butthead.cybertrails.com
cabale.usenet-fr.net
ccnews.thu.edu.tw
cdr.nord.net
corp.newsgroups.com
corp-binaries.newsgroups.com
davide.msoft.it
demonews.mindspring.com
dogwood.fernuni-hagen.de
dp-news.maxwell.syr.edu
etel.ru
forums.novell.com
freebsd.csie.nctu.edu.tw
frmug.org
ftp.tomica.ru
globo.edinfor.pt
grapevine.lcs.mit.edu
grieg.uol.com.br
htsrv.attack.ru
hub1.meganetnews.com
info.rgv.net
info.tsu.ru
info4.uni-rostock.de
infosun2.rus.uni-stuttgart.de
inx3.inx.net
isgnt5.netnow.net
lord.usenet-edu.net
msnews.microsoft.com
natasha.ncag.edu
netnews.de
news.abcs.com
news.ajou.ac.kr
news.aktrad.ru
news.aoc.gov
news.avcinc.com
news.avicenna.com
news.beta.kz
news.bsi.net.pl
news.caiwireless2.com
news.caravan.ru
news.caribsurf.com
news.cat.net.th
news.cdpa.nsysu.edu.tw
news.cell.ru
news.cofc.edu
news.coli.uni-sb.de
news.com2com.ru
news.comtel.ru
news.corvis.ru
news.cs.nthu.edu.tw
news.cs.tu-berlin.de
news.datast.net
news.deakin.edu.au
news.detnet.com
news.discom.net
news.dma.be
news.dna.affrc.go.jp
news.dsuper.net
news.emn.fr
news.enet.ru
news.freenet.de
news.fwi.com
news.fxalert.com
news.gamma.ru
news.gcip.net
news.gdbnet.ad.jp
news.globalpac.com
news.hanyang.ac.kr
news.htwm.de
news.ind.mh.se
news.inet.gr
news.informatik.uni-bremen.de
news.infotecs.ru
news.intel.com
news.invarnet.inwar.com.pl
news.isu.edu.tw
news.itcanada.com
news.jerseycape.net
news.kiev.sovam.com
news.konkuk.ac.kr
news.krs.ru
news.leivo.ru
news.lit.ru
news.louisa.net
news.lsumc.edu
news.lucky.net
news.man.torun.pl
news.math.cinvestav.mx
news.matnet.com
news.maxnet.ru
news.mc.ntu.edu.tw
news.mindvision.com.au
news.ncue.edu.tw
news.netcarrier.com
news.netdor.com
news.nchu.edu.tw
news.nsysu.edu.tw
news.odata.se
news.online.de
news.phoenixsoftware.com
news.portal.ru
news.primacom.net
news.ramlink.net
news.read.kpnqwest.net
news.readfreenews.net
news.reference.com
news.ripco.com
news.ruhr-uni-bochum.de
news.savvis.net
news.sexzilla.com
news.solaris.ru
news.spiceroad.ne.jp
news.srv.cquest.utoronto.ca
news.sti.com.br
news.tehnicom.net
news.teleglobe.net
news.telepassport.de
news.terra-link.com
news.tln.lib.mi.us
news.tohgoku.or.jp
news.triax.com
news.ttnet.net.tr
news.tu-ilmenau.de
news.udel.edu
news.uncensored-news.com
news.uni-duisburg.de
news.uni-erlangen.de
news.uni-hohenheim.de
news.uni-mannheim.de
news.uni-rostock.de
news.uni-stuttgart.de
news.unitel.co.kr
news.univ-nantes.fr
news.utb.edu
news01.uni-trier.de
news1.sinica.edu.tw
news2.new-york.net
news4.euro.net
news4.odn.ne.jp
news4.uncensored-news.com
news-archive2.icm.edu.pl
newscache0.freenet.de
newscache1.freenet.de
newscache2.freenet.de
newscache3.freenet.de
newscache4.freenet.de
newscache5.freenet.de
pubnews.gradwell.net
regulus.its.deakin.edu.au
service.symantec.com
snews.apol.com.tw
supern2.lnk.telstra.net
tabloid.uwaterloo.ca
www.usenet.pl
 

P2P spreading

Torvil also copies itself to shared folders of popular the P2P clients Xolox, Kazaa and eDonkey.

When spreading through P2P software, it will copy itself to the folders of P2P applications under the names of popular software form the following list:

NetObjects Fusion v7.5
Macromedia Studio MX 2004 AllApps
BearShare Pro 4.3.0
Borland C++ BuilderX 1.0 Enterprise Edition
Microsoft Office System Professional V2003
Halo FLT
Nero Burning ROM v6.0.0.19 Ultra Edition
TVTool v8.31
NHL 2004
Norton SystemWorks 2004
McAfee Personal Firewall Plus 2004
iMesh 4.2 Ad Remover
Norton AntiVirus 2004
Norton Antispam 2004
Sophos AntiVirus v3.74
Macromedia Contribute 2
McAfee VirusScan Home Edition 2004
McAfee SpamKiller 2004
 

Date Created: -

Date Last Modified: -