W32/Torvil.b@MM

Content

W32/Torvil.b@MM

Type: Virus
SubType: Internet Worm
Discovery Date: 10/13/2003
Length: 75,783 bytes
Minimum DAT: 4298 (10/15/2003)
Updated DAT: 4298 (10/15/2003)
Minimum Engine: 5.1.00
Description Added: 11/04/2003
Description Modified: 11/04/2003 4:49 PM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This threat is detected as New Malware.b with the 4250-4297 DAT files when scanning compressed executables with program heuristics enabled.

This mass-mailing worm spreads via email, open fileshares, P2P sharing applications, Internet Relay Chat, and Usenet newsgroups. It also attempts to terminate security software, and exploits the MS02-015 vulnerability.

The virus may be received in an email message with a wide variety of subject lines, message bodies, and attachment names. The from address may be spoofed, or forged. One message appears as follows:

From: security@microsoft.com

All Products | All Updates | Support | Search | microsoft.comHello,You should apply this fix which solves the newestInternet Explorer Vulnerability described in MS05-023.It is important that you apply � 2003 Microsoft Corporation. All rights reserved.

Attachment: Q723523_W9X_WXP_x86_EN.exe

The following is a list of possible attachment names:

attachment.zip
document.doc.pif
document1.doc.pif
flt-ixb23.zip
flt-xb5.rar.pif
message.zip
probsolv.doc.pif
Q723523_W9X_WXP_x86_EN.exe
readit.doc.pif
sexinthecity.scr
sexy.jpg
torvil.pif
win$hitrulez.pif
yourwin.bat

When the attachment is run, a dialog box is displayed.

If the Exit button is pressed, the virus installs itself and the box goes away. If the Patch button is pressed, an installation simulation occurs, followed by another message box.

The virus copies itself to the WINDOWS directory using the name spool or smss followed by 2 random characters, followed by .exe. A registry key is created to load that file at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Service Host" = %WinDir%\spool (random characters) .exe

A WIN.INI run key is created to load the worm as well. On WinNT/2K/XP this results in the following key getting set:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe spool (random characters) .exe

The worm installs itself as a service with the following parameters:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
TORVIL
- DisplayName = Torvil
- ImagePath = (path to worm) -s

Registry changes may be made to automatically execute the worm each time a .bat, .cmd, .com, .exe, .pif, or .scr file is run.

HKEY_CLASSES_ROOT\batfile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\cmdfile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\comfile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\piffile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\scrfile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" /S

An additional registry key is created for the worm to track its progress.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\OneLevelDeeper

Two files are created in the Windows directory for the worm to use when spreading:

message.dat (89,682 bytes) MIME encoded virus body
message.htm (90,499 bytes) MIME encoded virus body appended with MS02-015 exploit code

The virus saves many copies of itself to a hidden directory named:
MSTORVIL within the Windows directory. Filenames contained in this directory. Various extensions (.EXE, .PIF, .SCR) may be appended to filenames used during this process.

The virus body contains the following filenames:

BearShare Pro 4.3.0
Borland C++ BuilderX 1.0 Enterprise Edition
Dragon NaturallySpeaking 8 ISO Multilanguage
Half Life 2
Half Life 2 beta patch2
Halo.exe
iMesh 4.2 Ad Remover.
Macromedia Contribute
Macromedia Studio MX 2004 AllApps
McAfee Personal Firewall Plus 2004
McAfee SpamKiller 2004
McAfee VirusScan Home Edition 2004
Microsoft Office System Professional V2003
Nero Burning ROM v6.0.0.19 Ultra Edition
NetObjects Fusion v7.5
NHL 2004
Norton Antispam 2004
Norton AntiVirus 2004
Norton SystemWorks 2004
Sophos AntiVirus v3.74
TVTool v8.31

These names are followed by one of the following when saved to disk:
- Keygen.exe
- Crack.exe

Dropped .HTM files contain MIME encoded copies of the worm, followed by Exploit-CodeBase code to automatically execute the virus when a file is accessed on an unpatched system.

Spreading Via Email
The worm sends itself to email addresses harvested from files containing the following strings:

ABD
DAT
DBX
DOC
DOT
EML
HTM
HTML
INBOX
MAI
MBX
MHT
MMF
NCH
ODS
PHP
PST
RTF
TBB
WAB

It uses MAPI to retrieve information stored in exiting messages, and references the Outlook Express stationary, possibly to alter the default stationary, setting it to a dropped message.htm file containing the worm. It also contains its own SMTP engine to send messages.

Spreading Via Fileshares
The worm attempts to gain access to remote systems through the following shares

c$
d$
admin$
IPC$
print$

The following passwords are used in an attempt to gain access

23523
54321
654321
5201314
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
abc
abcd
admin
alpha
asdf
asdfgh
computer
database
default
enable
god
guest
home
Internet
KKKKKKK
login
love
manager
mypass
mypc
oracle
pass
passwd
password
private
public
pw
pwd
qwe
qwer
root
secret
security
server
sql
super
sybase
temp
test
user
win95
win98
windows
winnt
winxp
xp
xxx
yxcv
zxcv

The worm calls the NetScheduleJob API to create a scheduled task remotely; executing itself on the target system remotely.

Spreading Via P2P Applications
The worm copies itself to the Xolo, KaZaa, and eDonkey2000 shared directories.

Spreading Via IRC
The worm overwrites the mIRC.INI file to send itself to users who join the same channel as the infected user.

Spreading Via Usenet
The worm carries a long list of Usenet newsgroups and server names, which it uses to post infectious messages to.

alpha.webusenet.com
alt.destroy.microsoft
alt.news.microsoft
baldrick.blic.net
baracka.rz.uni-augsburg.de
bbsnews.ndhu.edu.tw
beech.fernuni-hagen.de
bias.ipc.uni-tuebingen.de
bossix.informatik.uni-kiel.de
butthead.cybertrails.com
cabale.usenet-fr.net
ccnews.thu.edu.tw
cdr.nord.net
corp.newsgroups.com
corp-binaries.newsgroups.com
davide.msoft.it
demonews.mindspring.com
dogwood.fernuni-hagen.de
dp-news.maxwell.syr.edu
etel.ru
forums.novell.com
freebsd.csie.nctu.edu.tw
frmug.org
ftp.tomica.ru
globo.edinfor.pt
grapevine.lcs.mit.edu
grieg.uol.com.br
htsrv.attack.ru
hub1.meganetnews.com
info.rgv.net
info.tsu.ru
info4.uni-rostock.de
infosun2.rus.uni-stuttgart.de
inx3.inx.net
isgnt5.netnow.net
lord.usenet-edu.net
microsoft.public.win32.programmer.gdi
msnews.microsoft.com
natasha.ncag.edu
netnews.de
news.abcs.com
news.ajou.ac.kr
news.aktrad.ru
news.aoc.gov
news.avcinc.com
news.avicenna.com
news.beta.kz
news.bsi.net.pl
news.caiwireless2.com
news.caravan.ru
news.caribsurf.com
news.cat.net.th
news.cdpa.nsysu.edu.tw
news.cell.ru
news.cofc.edu
news.coli.uni-sb.de
news.com2com.ru
news.comtel.ru
news.corvis.ru
news.cs.nthu.edu.tw
news.cs.tu-berlin.de
news.datast.net
news.deakin.edu.au
news.detnet.com
news.discom.net
news.dma.be
news.dna.affrc.go.jp
news.dsuper.net
news.emn.fr
news.enet.ru
news.freenet.de
news.fwi.com
news.fxalert.com
news.gamma.ru
news.gcip.net
news.gdbnet.ad.jp
news.globalpac.com
news.hanyang.ac.kr
news.htwm.de
news.ind.mh.se
news.inet.gr
news.informatik.uni-bremen.de
news.infotecs.ru
news.intel.com
news.invarnet.inwar.com.pl
news.isu.edu.tw
news.itcanada.com
news.jerseycape.net
news.kiev.sovam.com
news.konkuk.ac.kr
news.krs.ru
news.leivo.ru
news.lit.ru
news.louisa.net
news.lsumc.edu
news.lucky.net
news.man.torun.pl
news.math.cinvestav.mx
news.matnet.com
news.maxnet.ru
news.mc.ntu.edu.tw
news.mindvision.com.au
news.nchu.edu.tw
news.ncue.edu.tw
news.netcarrier.com
news.netdor.com
news.nsysu.edu.tw
news.odata.se
news.online.de
news.phoenixsoftware.com
news.portal.ru
news.primacom.net
news.ramlink.net
news.read.kpnqwest.net
news.readfreenews.net
news.reference.com
news.ripco.com
news.ruhr-uni-bochum.de
news.savvis.net
news.sexzilla.com
news.solaris.ru
news.spiceroad.ne.jp
news.srv.cquest.utoronto.ca
news.sti.com.br
news.tehnicom.net
news.teleglobe.net
news.telepassport.de
news.terra-link.com
news.tln.lib.mi.us
news.tohgoku.or.jp
news.triax.com
news.ttnet.net.tr
news.tu-ilmenau.de
news.udel.edu
news.uncensored-news.com
news.uni-duisburg.de
news.uni-erlangen.de
news.uni-hohenheim.de
news.uni-mannheim.de
news.uni-rostock.de
news.uni-stuttgart.de
news.unitel.co.kr
news.univ-nantes.fr
news.utb.edu
news01.uni-trier.de
news1.sinica.edu.tw
news2.new-york.net
news4.euro.net
news4.odn.ne.jp
news4.uncensored-news.com
news-archive2.icm.edu.pl
newscache0.freenet.de
newscache1.freenet.de
newscache2.freenet.de
newscache3.freenet.de
newscache4.freenet.de
newscache5.freenet.de
pubnews.gradwell.net
regulus.its.deakin.edu.au
service.symantec.com
snews.apol.com.tw
supern2.lnk.telstra.net
tabloid.uwaterloo.ca
www.usenet.pl

Symptoms

The worm keeps a log file of its actions, c:\torvil.log

The virus attempts to terminate running processes that contain the following process names:

_AVP32
_AVPCC
_AVPM
ACKWIN32
ADVXDWIN
AGENTW
ALERTSVC
ALOGSERV
ALOGSERV
AMON9X
ANTI-TROJAN
ANTIVIR
ANTS
APVXDWIN
APVXDWIN
ATCON
ATRACK
ATUPDATER
ATWATCH
AUTODOWN
AUTO-PROTECT
AUTOTRACE
AVCONSOL
AVE32
AVGCC32
AVGCTRL
AVGSERV
AVGSERV9
AVGW
AVKPOP
AVKSERV
AVKSERVICE
AVKWCTL9
AVP
AVP32
AVPM
AVPTC
AVPUPD
AVSCHED32
AVSYNMGR
AVWIN95
AVWINNT
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVXQUAR
AVXW
BLACKD
BLACKICE
CCEVTMGR
CCPWDSVC
CCSETMGR
CDP
CFGWIZ
CFINET
CLAW95
CLAW95CF
CLEANER
CLEANER3
CMGRDIAN
CONNECTIONMONITOR
CPD
CPDClNT
CTRL
DEFALERT
DEFSCANGUI
DEFWATCH
DOORS
DVP95_0
DVP95
EFPEADM
ETRUSTCIPE
EVPN
EXPERT
F-AGNT95
FAMEH32
FCH32
FIH32
FIREWAL
FNRB32
F-PROT
F-PROT95
FP-WIN
FRW
FSAA
FSAV32
FSGK32
FSM32
FSMA32
FSMB32
F-STOPW
GBMENU
GBPOLL
GBPOLL
GENERICS
GUARD
GUARDDOG
IAMAPP
IAMSERV
IAMSTATS
ICLOAD95
ICLOADNT
ICMON
ICSUPP95
ICSUPPNT
IFACE
IOMON98
ISRV95
JEDI
LDNETMON
LDPROMENU
LDSCAN
LOCKDOWN
LOCKDOWN2000
LUALL
LUCOM
LUSPT
MCAGENT
MCMNHDLR
MCSHIELD
MCTOOL
MCUPDATE
MCVSRTE
MCVSSHLD
MGAVRTCL
MGAVRTE
MGHTML
MINILOG
MONITOR
MOOLIVE
MPFAGENT
MPFSERVICE
MPFTRAY
MWATCH
N32SCANW
NAV
NAVAP
NAVAPSVC
NAVAPW32
NAVENGNAVEX15
NAVENGNAVEX15
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NDD32
NEOWATCHLOG
NETUTILS
NISSERV
NISUM
NMAIN
NOD32
NORMIST
NOTSTART
NPROTECT
NPSCHECK
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NTRTSCAN
NTVDM
NTXcONFIG
Nui
NUPGRADE
NVC95
NVSVC32
NWSERVICE
NWTOOL16
PADMIN
PAVPROXY
PCCIOMON
PCCMAIN
PCCNTMON
PCCWIN97
PCCWIN98
PCFWALLICON
PCSCAN
PERSFW
PERSWF
POP3TRAP
POPROXY
PORTMONITOR
PROCESSMONITOR
PROGRAMAUDITOR
PVIEW95
RAPAPP
RAV7
RAV7WIN
REALMON
RESCUE
RTVSCN95
RULAUNCH
SAFEWEB
SAVSCAN
SBSERV
SCAN32
SCRSCAN
SMC
SPHINX
SPYXX
SS3EDIT
SWEEP95
SWEEPNET
SWEEPSRV
SWNETSUP
SymProxySvc
SYMTRAY
TAUMON
TCA
TCM
TDS2-98
TDS2-NT
TDS-3
TFAK
TMNTSRV
VBCMSERV
VBCONS
VET32
VET95
VETTRAY
VIR-HELP
VPC32
VPTRAY
VSCHED
VSECOMR
VSHWIN32
VSMAIN
VSMON
VSSTAT
WATCHDOG
WEBSCANX
WEBTRAP
WGFE95
WIMMUN32
WRADMIN
WRCTRL
WRCTRL
ZAPRO
ZONEALARM

Method of Infection

The worm spreads via MAPI email, SMTP email, open fileshares, Usenet, mIRC, ICQ, Xolo, KaZaa, and eDonkey2000.

The worm carries a list of DNS server addresses.

152.163.159.232
193.189.233.45
149.174.211.8
64.12.51.132
216.109.116.17
193.189.231.2

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

I-Worm.Torvil.b (AVP)

W32.HLLW.Torvel.B@mm (Symantec)

W32/Torvil-B (Sophos)

W32/Torvil.B (F-Secure)

Characteristics

Characteristics -

This threat is detected as New Malware.b with the 4250-4297 DAT files when scanning compressed executables with program heuristics enabled.

The virus may be received in an email message with a wide variety of subject lines, message bodies, and attachment names. The from address may be spoofed, or forged. One message appears as follows:

From: security@microsoft.com

Attachment: Q723523_W9X_WXP_x86_EN.exe

The following is a list of possible attachment names:

attachment.zip
document.doc.pif
document1.doc.pif
flt-ixb23.zip
flt-xb5.rar.pif
message.zip
probsolv.doc.pif
Q723523_W9X_WXP_x86_EN.exe
readit.doc.pif
sexinthecity.scr
sexy.jpg
torvil.pif
win$hitrulez.pif
yourwin.bat

When the attachment is run, a dialog box is displayed.

If the Exit button is pressed, the virus installs itself and the box goes away. If the Patch button is pressed, an installation simulation occurs, followed by another message box.

The virus copies itself to the WINDOWS directory using the name spool or smss followed by 2 random characters, followed by .exe. A registry key is created to load that file at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Service Host" = %WinDir%\spool (random characters) .exe

A WIN.INI run key is created to load the worm as well. On WinNT/2K/XP this results in the following key getting set:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe spool (random characters) .exe

The worm installs itself as a service with the following parameters:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
TORVIL
- DisplayName = Torvil
- ImagePath = (path to worm) -s

Registry changes may be made to automatically execute the worm each time a .bat, .cmd, .com, .exe, .pif, or .scr file is run.

HKEY_CLASSES_ROOT\batfile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\cmdfile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\comfile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\piffile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" %*
HKEY_CLASSES_ROOT\scrfile\shell\open\command "(Default)" = C:\WINNT\svchost.exe "%1" /S

An additional registry key is created for the worm to track its progress.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\OneLevelDeeper

Two files are created in the Windows directory for the worm to use when spreading:

message.dat (89,682 bytes) MIME encoded virus body
message.htm (90,499 bytes) MIME encoded virus body appended with MS02-015 exploit code

The virus body contains the following filenames:

BearShare Pro 4.3.0
Borland C++ BuilderX 1.0 Enterprise Edition
Dragon NaturallySpeaking 8 ISO Multilanguage
Half Life 2
Half Life 2 beta patch2
Halo.exe
iMesh 4.2 Ad Remover.
Macromedia Contribute
Macromedia Studio MX 2004 AllApps
McAfee Personal Firewall Plus 2004
McAfee SpamKiller 2004
McAfee VirusScan Home Edition 2004
Microsoft Office System Professional V2003
Nero Burning ROM v6.0.0.19 Ultra Edition
NetObjects Fusion v7.5
NHL 2004
Norton Antispam 2004
Norton AntiVirus 2004
Norton SystemWorks 2004
Sophos AntiVirus v3.74
TVTool v8.31

These names are followed by one of the following when saved to disk:
- Keygen.exe
- Crack.exe

Dropped .HTM files contain MIME encoded copies of the worm, followed by Exploit-CodeBase code to automatically execute the virus when a file is accessed on an unpatched system.

Spreading Via Email
The worm sends itself to email addresses harvested from files containing the following strings:

ABD
DAT
DBX
DOC
DOT
EML
HTM
HTML
INBOX
MAI
MBX
MHT
MMF
NCH
ODS
PHP
PST
RTF
TBB
WAB

Spreading Via Fileshares
The worm attempts to gain access to remote systems through the following shares

c$
d$
admin$
IPC$
print$

The following passwords are used in an attempt to gain access

23523
54321
654321
5201314
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
abc
abcd
admin
alpha
asdf
asdfgh
computer
database
default
enable
god
guest
home
Internet
KKKKKKK
login
love
manager
mypass
mypc
oracle
pass
passwd
password
private
public
pw
pwd
qwe
qwer
root
secret
security
server
sql
super
sybase
temp
test
user
win95
win98
windows
winnt
winxp
xp
xxx
yxcv
zxcv

The worm calls the NetScheduleJob API to create a scheduled task remotely; executing itself on the target system remotely.

Spreading Via P2P Applications
The worm copies itself to the Xolo, KaZaa, and eDonkey2000 shared directories.

Spreading Via IRC
The worm overwrites the mIRC.INI file to send itself to users who join the same channel as the infected user.

Spreading Via Usenet
The worm carries a long list of Usenet newsgroups and server names, which it uses to post infectious messages to.

alpha.webusenet.com
alt.destroy.microsoft
alt.news.microsoft
baldrick.blic.net
baracka.rz.uni-augsburg.de
bbsnews.ndhu.edu.tw
beech.fernuni-hagen.de
bias.ipc.uni-tuebingen.de
bossix.informatik.uni-kiel.de
butthead.cybertrails.com
cabale.usenet-fr.net
ccnews.thu.edu.tw
cdr.nord.net
corp.newsgroups.com
corp-binaries.newsgroups.com
davide.msoft.it
demonews.mindspring.com
dogwood.fernuni-hagen.de
dp-news.maxwell.syr.edu
etel.ru
forums.novell.com
freebsd.csie.nctu.edu.tw
frmug.org
ftp.tomica.ru
globo.edinfor.pt
grapevine.lcs.mit.edu
grieg.uol.com.br
htsrv.attack.ru
hub1.meganetnews.com
info.rgv.net
info.tsu.ru
info4.uni-rostock.de
infosun2.rus.uni-stuttgart.de
inx3.inx.net
isgnt5.netnow.net
lord.usenet-edu.net
microsoft.public.win32.programmer.gdi
msnews.microsoft.com
natasha.ncag.edu
netnews.de
news.abcs.com
news.ajou.ac.kr
news.aktrad.ru
news.aoc.gov
news.avcinc.com
news.avicenna.com
news.beta.kz
news.bsi.net.pl
news.caiwireless2.com
news.caravan.ru
news.caribsurf.com
news.cat.net.th
news.cdpa.nsysu.edu.tw
news.cell.ru
news.cofc.edu
news.coli.uni-sb.de
news.com2com.ru
news.comtel.ru
news.corvis.ru
news.cs.nthu.edu.tw
news.cs.tu-berlin.de
news.datast.net
news.deakin.edu.au
news.detnet.com
news.discom.net
news.dma.be
news.dna.affrc.go.jp
news.dsuper.net
news.emn.fr
news.enet.ru
news.freenet.de
news.fwi.com
news.fxalert.com
news.gamma.ru
news.gcip.net
news.gdbnet.ad.jp
news.globalpac.com
news.hanyang.ac.kr
news.htwm.de
news.ind.mh.se
news.inet.gr
news.informatik.uni-bremen.de
news.infotecs.ru
news.intel.com
news.invarnet.inwar.com.pl
news.isu.edu.tw
news.itcanada.com
news.jerseycape.net
news.kiev.sovam.com
news.konkuk.ac.kr
news.krs.ru
news.leivo.ru
news.lit.ru
news.louisa.net
news.lsumc.edu
news.lucky.net
news.man.torun.pl
news.math.cinvestav.mx
news.matnet.com
news.maxnet.ru
news.mc.ntu.edu.tw
news.mindvision.com.au
news.nchu.edu.tw
news.ncue.edu.tw
news.netcarrier.com
news.netdor.com
news.nsysu.edu.tw
news.odata.se
news.online.de
news.phoenixsoftware.com
news.portal.ru
news.primacom.net
news.ramlink.net
news.read.kpnqwest.net
news.readfreenews.net
news.reference.com
news.ripco.com
news.ruhr-uni-bochum.de
news.savvis.net
news.sexzilla.com
news.solaris.ru
news.spiceroad.ne.jp
news.srv.cquest.utoronto.ca
news.sti.com.br
news.tehnicom.net
news.teleglobe.net
news.telepassport.de
news.terra-link.com
news.tln.lib.mi.us
news.tohgoku.or.jp
news.triax.com
news.ttnet.net.tr
news.tu-ilmenau.de
news.udel.edu
news.uncensored-news.com
news.uni-duisburg.de
news.uni-erlangen.de
news.uni-hohenheim.de
news.uni-mannheim.de
news.uni-rostock.de
news.uni-stuttgart.de
news.unitel.co.kr
news.univ-nantes.fr
news.utb.edu
news01.uni-trier.de
news1.sinica.edu.tw
news2.new-york.net
news4.euro.net
news4.odn.ne.jp
news4.uncensored-news.com
news-archive2.icm.edu.pl
newscache0.freenet.de
newscache1.freenet.de
newscache2.freenet.de
newscache3.freenet.de
newscache4.freenet.de
newscache5.freenet.de
pubnews.gradwell.net
regulus.its.deakin.edu.au
service.symantec.com
snews.apol.com.tw
supern2.lnk.telstra.net
tabloid.uwaterloo.ca
www.usenet.pl

Symptoms

Symptoms -

The worm keeps a log file of its actions, c:\torvil.log

The virus attempts to terminate running processes that contain the following process names:

_AVP32
_AVPCC
_AVPM
ACKWIN32
ADVXDWIN
AGENTW
ALERTSVC
ALOGSERV
ALOGSERV
AMON9X
ANTI-TROJAN
ANTIVIR
ANTS
APVXDWIN
APVXDWIN
ATCON
ATRACK
ATUPDATER
ATWATCH
AUTODOWN
AUTO-PROTECT
AUTOTRACE
AVCONSOL
AVE32
AVGCC32
AVGCTRL
AVGSERV
AVGSERV9
AVGW
AVKPOP
AVKSERV
AVKSERVICE
AVKWCTL9
AVP
AVP32
AVPM
AVPTC
AVPUPD
AVSCHED32
AVSYNMGR
AVWIN95
AVWINNT
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVXQUAR
AVXW
BLACKD
BLACKICE
CCEVTMGR
CCPWDSVC
CCSETMGR
CDP
CFGWIZ
CFINET
CLAW95
CLAW95CF
CLEANER
CLEANER3
CMGRDIAN
CONNECTIONMONITOR
CPD
CPDClNT
CTRL
DEFALERT
DEFSCANGUI
DEFWATCH
DOORS
DVP95_0
DVP95
EFPEADM
ETRUSTCIPE
EVPN
EXPERT
F-AGNT95
FAMEH32
FCH32
FIH32
FIREWAL
FNRB32
F-PROT
F-PROT95
FP-WIN
FRW
FSAA
FSAV32
FSGK32
FSM32
FSMA32
FSMB32
F-STOPW
GBMENU
GBPOLL
GBPOLL
GENERICS
GUARD
GUARDDOG
IAMAPP
IAMSERV
IAMSTATS
ICLOAD95
ICLOADNT
ICMON
ICSUPP95
ICSUPPNT
IFACE
IOMON98
ISRV95
JEDI
LDNETMON
LDPROMENU
LDSCAN
LOCKDOWN
LOCKDOWN2000
LUALL
LUCOM
LUSPT
MCAGENT
MCMNHDLR
MCSHIELD
MCTOOL
MCUPDATE
MCVSRTE
MCVSSHLD
MGAVRTCL
MGAVRTE
MGHTML
MINILOG
MONITOR
MOOLIVE
MPFAGENT
MPFSERVICE
MPFTRAY
MWATCH
N32SCANW
NAV
NAVAP
NAVAPSVC
NAVAPW32
NAVENGNAVEX15
NAVENGNAVEX15
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NDD32
NEOWATCHLOG
NETUTILS
NISSERV
NISUM
NMAIN
NOD32
NORMIST
NOTSTART
NPROTECT
NPSCHECK
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NTRTSCAN
NTVDM
NTXcONFIG
Nui
NUPGRADE
NVC95
NVSVC32
NWSERVICE
NWTOOL16
PADMIN
PAVPROXY
PCCIOMON
PCCMAIN
PCCNTMON
PCCWIN97
PCCWIN98
PCFWALLICON
PCSCAN
PERSFW
PERSWF
POP3TRAP
POPROXY
PORTMONITOR
PROCESSMONITOR
PROGRAMAUDITOR
PVIEW95
RAPAPP
RAV7
RAV7WIN
REALMON
RESCUE
RTVSCN95
RULAUNCH
SAFEWEB
SAVSCAN
SBSERV
SCAN32
SCRSCAN
SMC
SPHINX
SPYXX
SS3EDIT
SWEEP95
SWEEPNET
SWEEPSRV
SWNETSUP
SymProxySvc
SYMTRAY
TAUMON
TCA
TCM
TDS2-98
TDS2-NT
TDS-3
TFAK
TMNTSRV
VBCMSERV
VBCONS
VET32
VET95
VETTRAY
VIR-HELP
VPC32
VPTRAY
VSCHED
VSECOMR
VSHWIN32
VSMAIN
VSMON
VSSTAT
WATCHDOG
WEBSCANX
WEBTRAP
WGFE95
WIMMUN32
WRADMIN
WRCTRL
WRCTRL
ZAPRO
ZONEALARM

Method of Infection

Method of Infection -

The worm spreads via MAPI email, SMTP email, open fileshares, Usenet, mIRC, ICQ, Xolo, KaZaa, and eDonkey2000.

The worm carries a list of DNS server addresses.

152.163.159.232
193.189.233.45
149.174.211.8
64.12.51.132
216.109.116.17
193.189.231.2

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content

W32/Torvil.b@MM

Type

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Risk Assessment

Tab Navigation

Overview

Aliases

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer