The Torvil worm packages a really broad set of features. It's capable of spreading though several different media like, P2P network, newsgroups, email, IRC and local networks.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The Torvil worm was programmed in Delphi and packed with ASPack.
The worm copies itself to different locations depending on internal variables. Possible locations are:
%WinDir%\spool[variable string].exe %WinDir%\SMSS[variable string].exe %WinDir%\svchost.exe
It will create the following entry in the Windows' registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host]
which will point to one of the two first files given in the previous list (whichever happens to be created by the worm).
And will modify the entry (if existing):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
To reference the worm's executable (the same as in the previous registry key).
It will store a database with its own settings at:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\OneLevelDeeper\TorvilDB]
When composing email, this worm will choose message subjects from the list:
congratulations! darling Do not release, its the internal rls! Documents Pr0n! Undeliverable mail-- Returned mail-- here´s a nice Picture New Internal Rls... here´s the document here´s the document you requested here´s the archive you requested
It will use attachment file names from the list:
yourwin.bat probsolv.doc.pif flt-xb5.rar.pif document.doc.pif sexinthecity.scr torvil.pif win$hitrulez.pif sexy.jpg flt-ixb23.zip readit.doc.pif document1.doc.pif attachment.zip
And will select one of the following bodies:
See the attached file for details. I have a document attached, The release file is attached... Send me your comments. Real outtakes from Sex in the City!! Have a look the Pic attached !! dOnT gIvE iT aWaY... Here´s the document that you had requested. That´s the answer to all your questions. Have a look at the attatchment.
The worm will also send messages pretending they had been sent by Microsoft. Those messages will refer to patches or security fixes and will have a content similar to:
Body:
Who should read this bulletin: Users running Microsoft ® Windows ® All Products | All Updates | Support | Search | microsoft.com Hello, You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023. It is important that you apply this fix now since we estimate the Buffer Overflow is at a Critical Level. Sincerely Yours The Microsoft Security Team e 2003 Microsoft Corporation. All rights reserved.
The attachment name will be:
Q723523_W9X_WXP_x86_EN.exe
other messages composed by the worm may have the following appearance:
Subject:
Your account at [variable name] has expired.
Body:
Hello We are sorry that we cannot offer our "old" service anymore. Your account will expire at the 2003-11-23. But after all, we still offer a freemail service, which you have to join[link] right now !!! Our new prices and services are described in the attached html file, which is a compressed ZIP archive. Sicerely Yours,
Attachment name:
message.zip
The worm will attempt to send itself to other users on the IRC channels.
When trying to gain access to computers in the local network the worm will use passwords form the list:
23523 654321 54321 KKKKKKK 5201314 zxcv yxcv xxx xp test pw pwd temp pass passwd password sql database admin root secret oracle sybase server computer Internet super user manager mypass mypc security public private login love default enable god guest home qwer qwe abcd abc asdf asdfgh alpha !@#$ !@#$% !@#$%^ !@#$%^& !@#$%^&* !@#$%^&*( !@#$%^&*()
It will contact news servers from the list:
alpha.webusenet.com baldrick.blic.net baracka.rz.uni-augsburg.de bbsnews.ndhu.edu.tw beech.fernuni-hagen.de bias.ipc.uni-tuebingen.de bossix.informatik.uni-kiel.de butthead.cybertrails.com cabale.usenet-fr.net ccnews.thu.edu.tw cdr.nord.net corp.newsgroups.com corp-binaries.newsgroups.com davide.msoft.it demonews.mindspring.com dogwood.fernuni-hagen.de dp-news.maxwell.syr.edu etel.ru forums.novell.com freebsd.csie.nctu.edu.tw frmug.org ftp.tomica.ru globo.edinfor.pt grapevine.lcs.mit.edu grieg.uol.com.br htsrv.attack.ru hub1.meganetnews.com info.rgv.net info.tsu.ru info4.uni-rostock.de infosun2.rus.uni-stuttgart.de inx3.inx.net isgnt5.netnow.net lord.usenet-edu.net msnews.microsoft.com natasha.ncag.edu netnews.de news.abcs.com news.ajou.ac.kr news.aktrad.ru news.aoc.gov news.avcinc.com news.avicenna.com news.beta.kz news.bsi.net.pl news.caiwireless2.com news.caravan.ru news.caribsurf.com news.cat.net.th news.cdpa.nsysu.edu.tw news.cell.ru news.cofc.edu news.coli.uni-sb.de news.com2com.ru news.comtel.ru news.corvis.ru news.cs.nthu.edu.tw news.cs.tu-berlin.de news.datast.net news.deakin.edu.au news.detnet.com news.discom.net news.dma.be news.dna.affrc.go.jp news.dsuper.net news.emn.fr news.enet.ru news.freenet.de news.fwi.com news.fxalert.com news.gamma.ru news.gcip.net news.gdbnet.ad.jp news.globalpac.com news.hanyang.ac.kr news.htwm.de news.ind.mh.se news.inet.gr news.informatik.uni-bremen.de news.infotecs.ru news.intel.com news.invarnet.inwar.com.pl news.isu.edu.tw news.itcanada.com news.jerseycape.net news.kiev.sovam.com news.konkuk.ac.kr news.krs.ru news.leivo.ru news.lit.ru news.louisa.net news.lsumc.edu news.lucky.net news.man.torun.pl news.math.cinvestav.mx news.matnet.com news.maxnet.ru news.mc.ntu.edu.tw news.mindvision.com.au news.ncue.edu.tw news.netcarrier.com news.netdor.com news.nchu.edu.tw news.nsysu.edu.tw news.odata.se news.online.de news.phoenixsoftware.com news.portal.ru news.primacom.net news.ramlink.net news.read.kpnqwest.net news.readfreenews.net news.reference.com news.ripco.com news.ruhr-uni-bochum.de news.savvis.net news.sexzilla.com news.solaris.ru news.spiceroad.ne.jp news.srv.cquest.utoronto.ca news.sti.com.br news.tehnicom.net news.teleglobe.net news.telepassport.de news.terra-link.com news.tln.lib.mi.us news.tohgoku.or.jp news.triax.com news.ttnet.net.tr news.tu-ilmenau.de news.udel.edu news.uncensored-news.com news.uni-duisburg.de news.uni-erlangen.de news.uni-hohenheim.de news.uni-mannheim.de news.uni-rostock.de news.uni-stuttgart.de news.unitel.co.kr news.univ-nantes.fr news.utb.edu news01.uni-trier.de news1.sinica.edu.tw news2.new-york.net news4.euro.net news4.odn.ne.jp news4.uncensored-news.com news-archive2.icm.edu.pl newscache0.freenet.de newscache1.freenet.de newscache2.freenet.de newscache3.freenet.de newscache4.freenet.de newscache5.freenet.de pubnews.gradwell.net regulus.its.deakin.edu.au service.symantec.com snews.apol.com.tw supern2.lnk.telstra.net tabloid.uwaterloo.ca www.usenet.pl
Torvil also copies itself to shared folders of popular the P2P clients Xolox, Kazaa and eDonkey.
When spreading through P2P software, it will copy itself to the folders of P2P applications under the names of popular software form the following list:
NetObjects Fusion v7.5 Macromedia Studio MX 2004 AllApps BearShare Pro 4.3.0 Borland C++ BuilderX 1.0 Enterprise Edition Microsoft Office System Professional V2003 Halo FLT Nero Burning ROM v6.0.0.19 Ultra Edition TVTool v8.31 NHL 2004 Norton SystemWorks 2004 McAfee Personal Firewall Plus 2004 iMesh 4.2 Ad Remover Norton AntiVirus 2004 Norton Antispam 2004 Sophos AntiVirus v3.74 Macromedia Contribute 2 McAfee VirusScan Home Edition 2004 McAfee SpamKiller 2004