Description:
Win32.Torvil.D is a worm which spreads through various mechanisms using its own SMTP engine, Microsoft MAPI, Kazaa peer-to-peer (P2P) file sharing, and Internet Relay Chat (IRC).
The worm uses an MHTML exploit to automatically execute when rendering HTML and exploits the "incorrect MIME type" vulnerability to automatically run upon opening e-mail messages. For more information on these vulnerabilities, please visit Microsoft at http://www.microsoft.com/technet/security/bulletin/MS03-014.asp and http://www.microsoft.com/technet/security/bulletin/MS01-020.asp .
Method of Installation
When executed the worm displays the following dialog:
If the user clicks ' Patch ', the following message is displayed:
It copies itself to the Windows directory using this name:
SVCHOST.EXE
and one or both of these names:
spool??.exe
SMSS??.exe
Where ? represents a randomly generated letter from a to z.
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The worm creates a registry key in which it stores it's own configuration data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\OneLevelDeeper\TorvilDB
It sets a value called " TORVIL " in this key to store the file name it generates, for example:
TORVIL="spoolhv.exe"
It then modifies the registry to ensure that one of these files is executed at Windows startup (for example):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host = "%Windows%\spoolhv.exe"
Under Windows NT/2K/XP, the following value is also modified:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolhv.exe"
Additionally, on Windows 9x systems, the run key in WIN.INI is modified to run %Windows%\spoolhv.exe upon startup:
[windows ]
run=%Windows%\spoolhv.exe
Note: "spoolhv.exe" is an example of a file name generated by the worm. The actual name used may be either "spool??.exe" or "SMSS??.exe", as described above.
It also modifies the default values of the commands associated with the "exefile", "comfile", "piffile", "scrfile", "cmdfile", and "batfile" classes, in order to execute each time other executables are called:
HKEY_CLASSES_ROOT\batfile\Shell\open\command\(Default) = "%Windows%\svchost.exe "%1" %*"
HKEY_CLASSES_ROOT\cmdfile\Shell\open\command\(Default) = "%Windows%\svchost.exe "%1" %*"
HKEY_CLASSES_ROOT\comfile\Shell\open\command\(Default) = "%Windows%\svchost.exe "%1" %*"
HKEY_CLASSES_ROOT\exefile\Shell\open\command\(Default) = "%Windows%\svchost.exe "%1" %*"
HKEY_CLASSES_ROOT\piffile\Shell\open\command\(Default) = "%Windows%\svchost.exe "%1" %*"
HKEY_CLASSES_ROOT\scrfile\Shell\open\command\(Default) = "%Windows%\svchost.exe "%1" /S"
It queries the registry value:
HKEY_CLASSES_ROOT\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\(Default)
Under Win9x/ME/NT/2K, this value contains the name of the control panel (usually simply "Control Panel"). Under Windows XP, this value is usually empty. The worm creates a directory under the Windows directory using this name, with the extension ".{21EC2020-3AEA-1069-A2DD-08002B30309D}" appended to the end.
For example, on a Windows 9x/ME/NT/2K system, the directory may be called:
C:\WINDOWS\Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}
On a Windows XP system, it may be:
C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}
It sets the read-only, hidden, and system attributes for this directory. Due to the special extension, navigating to this directory in Explorer will show the control panel, rather than the actual directory contents.
The following files may be dropped by the worm to this folder:
Analyze Sales.htm
CAJUN.HTM
DEFAULT.HTM
Dragon NaturallySpeaking 8 ISO Multilanguage Keygen.exe
EVENT.HTM
FEEDBACK.HTM
FORMAGGI.HTM
FPBROWSE.HTM
Half Life 2 Crack.exe
Half Life 2 Keygen.exe
iMesh 4.2 Ad Remover Crack.exe
iMesh 4.2 Ad Remover Keygen.exe
INTLBAND.HTM
JSCRIPT.HTM
LOBBY.HTM
L_STATUS.HTM
Macromedia Contribute 2 Crack.exe
Macromedia Contribute 2 Keygen.exe
McAfee Personal Firewall Plus 2004 Crack.exe
Microsoft Office System Professional V2003 Crack.exe
Microsoft Office System Professional V2003 Keygen.exe
Nero Burning ROM v6.0.0.19 Ultra Edition Crack.exe
Norton SystemWorks 2004 Crack.exe
NSFRAME.HTM
NSHELP.HTM
NSTEST.HTM
NWINDTEM.HTM
PRELOBBY.HTM
Review Orders.htm
Review Products.htm
Sales.htm
SLIDEHLD.HTM
THANKYOU.HTM
VBSCRIPT.HTM
These dropped .EXE files are copies of the worm. The HTML files are really MIME formatted files with the attached worm encoded in base64.
On Windows 9x/ME, the worm registers itself as a service process.
On Windows NT/2K/XP, the worm creates and starts a service to run itself. The service has these features:
Name: TORVIL
Display Name: System Registry Service
Description: Provides Local Access to the Registry
Path to executable: %windows%\ spoolhv.exe -xStartOurNiceServicesYes
Startup type: Automatic
Method/s of Distribution
Via Email
The e-mail messages created by the worm can take several different major forms, with many slight variations in each. The "from" address is fake, sometimes using an address found on the infected system, and sometimes using security@microsoft.com".
Here are some examples of messages created by Torvil.D:
The worm chooses an attachment name from the following list:
yourwin.bat
probsolv.doc.pif
flt-xb5.rar.pif
document.doc.pif
sexinthecity.scr
torvil.pif
win$hitrulez.pif
sexy.jpg
flt-ixb23.zip
readit.doc.pif
document1.doc.pif
attachment.zip
Q723523_W9X_WXP_x86_EN.exe
The attachment name may also be the generated name, as mentioned above, for example:
spoolhv.exe
The worm also has the ability to put itself inside ZIP, RAR, and ACE archives to attach to its messages, although this was not confirmed in lab tests. If it finds that WinRAR is installed, it can use WinRAR to create RAR and ZIP archives. If WinACE is installed, it can use it to create ACE archives.
The worm uses simple MAPI functions to get addresses from messages in the user's inbox. These addresses are used both to send to and for fake "from" addresses. It also looks for files with any of the following strings somewhere in their extension:
ODS
MMF
INBOX
NCH
DBX
MAI
MHT
WAB
MBX
TBB
EML
DBX
HTM
DOC
RTF
DOT
WAB
ABD
HTML
PHP
PST
DAT
The worm may search these for e-mail addresses, but this was not observed in the lab.
The worm e-mails itself using its own SMTP code. It finds the correct mail exchanger to connect to by performing DNS lookups on the domain of each recipient. The name server used for these lookups is randomly chosen from the following list:
152.163.159.232
193.189.233.45
149.174.211.8
193.189.231.2
64.12.51.132
216.109.116.17
Via Network Shares
Torvil.D can also copy itself to shares on remote Windows NT/2K/XP systems. It tries to copy itself to the default administrator shares:
c$
d$
admin$
by trying these passwords:
23523
654321
54321
KKKKKKK
5201314
zxcv
yxcv
xxx
xp
test
pw
pwd
temp
pass
passwd
password
sql
database
admin
root
secret
oracle
sybase
test
server
computer
Internet
super
user
manager
mypass
mypc
security
public
private
login
love
default
enable
god
guest
home
qwer
qwe
abc d
abc
asdf
asdfgh
alpha
asdf
!@#$"!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
If successful, the worm copies itself with the file name:
reminder.exe
It tries to run this copy both by creating a service on the remote machine, and by scheduling a job.
Payload
Terminates Processes
The worm attempts to terminate antivirus and other security programs by searching for the following process names:
_AVP32
_AVPCC
_AVPM
ACKWIN32
ADVXDWIN
AGENTW
ALERTSVC
ALOGSERV
ALOGSERV
AMON9X
ANTI-TROJAN
ANTIVIR
ANTS
APVXDWIN
APVXDWIN
ATCON
ATRACK
ATUPDATER
ATWATCH
AUTODOWN
AUTO-PROTECT
AUTOTRACE
AVCONSOL
AVE32
AVGCC32
AVGCTRL
AVGSERV
AVGSERV9
AVGW
AVKPOP
AVKSERV
AVKSERVICE
AVKWCTL9
AVP
AVP32
AVPM
AVPTC
AVPUP D
AVSCHED32
AVSYNMGR
AVWIN95
AVWINNT
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVXQUAR
AVXW
BLACKD
BLACKICE
CCEVTMGR
CCPWDSVC
CCSETMGR
CDP
CFGWIZ
CFINET
CLAW95
CLAW95CF
CLEANER
CLEANER3
CMGRDIAN
CONNECTIONMONITOR
CPD
CPDClNT
CTRL
DEFALERT
DEFSCANGUI
DEFWATCH
DOORS
DVP95_0
DVP95
EFPEADM
ETRUSTCIPE
EVPN
EXPERT
F-AGNT95
FAMEH32
FCH32
FIH32
FIREWAL
FNRB32
F-PROT
F-PROT95
FP-WIN
FRW
FSAA
FSAV32
FSGK32
FSM32
FSMA32
FSMB32
F-STOPW
GBMENU
GBPOLL
GBPOLL
GENERICS
GUARD
GUARDDOG
IAMAPP
IAMSERV
IAMSTATS
ICLOAD95
ICLOADNT
ICMON
ICSUPP95
ICSUPPNT
IFACE
IOMON98
ISRV95
JEDI
LDNETMON
LDPROMENU
LDSCAN
LOCKDOWN
LOCKDOWN2000
LUALL
LUCOM
LUSPT
MCAGENT
MCMNHDLR
MCSHIELD
MCTOOL
MCUPDATE
MCVSRTE
MCVSSHLD
MGAVRTCL
MGAVRTE
MGHTML
MINILOG
MONITOR
MOOLIVE
MPFAGENT
MPFSERVICE
MPFTRAY
MWATCH
N32SCANW
NAV
NAVAP
NAVAPSVC
NAVAPW32
NAVENGNAVEX15
NAVENGNAVEX15
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NDD32
NEOWATCHLOG
NETUTILS
NISSERV
NISUM
NMAIN
NOD32
NORMIST
NOTSTART
NPROTECT
NPSCHECK
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NTRTSCAN
NTVDM
NTXcONFIG
Nui
NUPGRADE
NVC95
NVSVC32
NWSERVICE
NWTOOL16
PADMIN
PAVPROXY
PCCIOMON
PCCMAIN
PCCNTMON
PCCWIN97
PCCWIN98
PCFWALLICON
PCSCAN
PERSFW
PERSWF
POP3TRAP
POPROXY
PORTMONITOR
PROCESSMONITOR
PROGRAMAUDITOR
PVIEW95
RAPAPP
RAV7
RAV7WIN
REALMON
RESCUE
RTVSCN95
RULAUNCH
SAFEWEB
SAVSCAN
SBSERV
SCAN32
SCRSCAN
SMC
SPHINX
SPYXX
SS3EDIT
SWEEP95
SWEEPNET
SWEEPSRV
SWNETSUP
SymProxySvc
SYMTRAY
TAUMON
TCA
TCM
TDS2-98
TDS2-NT
TDS-3
TFAK
TMNTSRV
VBCMSERV
VBCONS
VET32
VET95
VETTRAY
VIR-HELP
VPC32
VPTRAY
VSCHED
VSECOMR
VSHWIN32
VSMAIN
VSMON
VSSTAT
WATCHDOG
WEBSCANX
WEBTRAP
WGFE95
WIMMUN32
WRADMIN
WRCTRL
WRCTRL
ZAPRO
ZONEALARM
Other
The worm also stops users from accessing the Regedit Windows program by setting the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x1
On NT/2K/XP systems, it sets this value so that Operating System files and folders are not shown in Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio n\Explorer\Advanced\ShowSuperHidden = 0
Analysis by Haim Hayman and Hamish O'Dea
|
