Win32/Torvil.A@mm is a worm that spreads via E-mail and via Peer-To-Peer (P2P) file-sharing software.
When run, Win32/Torvil.A@mm copies itself to "%windir%\svchost.exe".
If the registry value "TORVIL" in registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\OneLevelDeeper\Torvil" exists, then Win32/Torvil.A@mm will copy itself to the filename pointed to by that registry value. If that registry value does not already exist, then Win32/Torvil.A@mm will copy itself to "%windir%\spool??.exe" or to "%windir%\SMSS??.exe" (where "??" represent two random lowercase letters) and will create the "TORVIL" registry value in registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\OneLevelDeeper\Torvil", set to this new filename. This new filename is also appended to the registry value "Shell" in registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon". For example, if the "Shell" value contained "Explorer.exe" then Win32/Torvil.A@mm would set it to "Explorer.exe spool??.exe" or "Explorer.exe SMSS??.exe".
Win32/Torvil.A@mm sets the registry value "Service Host" in registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" to "%windir%\spool??.exe" or to "%windir%\SMSS??.exe". It also sets the registry value "Service Host" in registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" to "%windir%\svchost.exe". These settings will cause Win32/Torvil.A@mm to run every time Windows is started.
Win32/Torvil.A@mm then exits and runs itself from "%windir%\spool??.exe" or "%windir%\SMSS??.exe".
The new Win32/Torvil.A@mm process will create a read-only, hidden system directory at "%windir%\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}".
If the P2P client eDonkey2000 is installed, Win32/Torvil.A@mm will add this new hidden directory to the list of shared eDonkey2000 directories by modifying one of the following eDonkey2000 files: SHARE.DAT, SHARED.DAT, or SHAREDDIR.DAT.
If the P2P client Xolox is installed, Win32/Torvil.A@mm will add the new hidden directory to the "shareddirs" registry value in registry key "HKCU\Software\Xolox".
If the P2P client Kazaa is installed, Win32/Torvil.A@mm will add the new hidden directory to the list of shared Kazaa directories.
Win32/Torvil.A@mm will copy itself to the "%windir%\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}" directory using some or all of the following filenames:
Adobe Encore DVD 1.0 Crack.exe
BearShare Pro v4.0.1 Crack.exe
BestCrypt v7.08.1 Crack.exe
Cultures 3 Northland Crack.exe
Colin McRae Rally 4 Crack.exe
DivX Pro 5.1 Crack.exe
DVD X Studios CloneDVD 1.25 Crack.exe
Dragons Lair 3D Multilanguage Crack.exe
Empereur L´Empire du Milieu - Mise a Jour Crack.exe
EasyRecovery v1.1.01 Crack.exe
iMesh v3.0b Ad Remover Crack.exe
Norton AntiVirus 2004 Crack.exe
Star Wars Jedi Knight Jedi Academy Crack.exe
Tony Hawks Pro Skater 4 Multilanguage NoCD Crack.exe
You dont know Jack 4 Crack.exe
Zone Alarm Pro 4.0 Crack.exe
Win32/Torvil.A@mm will also search the infected computer for filenames that contain ".RAR", ".ZIP", and ".ACE", and will copy itself to "%windir%\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}" as some of those found filenames. It will randomly append ".pif" or ".exe" to those newly copied filenames, or will replace the original extension of those newly copied filenames with ".exe".
It will then append 16 random characters to the ends of the files it has created in the "%windir%\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}" directory.
Win32/Torvil.A@mm will then search the infected computer for E-mail addresses in files that contain these strings:
.ODS
.MMF
INBOX
.NCH
.DBX
.MAI
.MHT
.WAB
.MBX
.TBB
.EML
.DAT
.TXT
.HTM
.DOC
.RTF
.DOT
.ABD
.HTML
.PHP
.MBOX
It will send itself as an E-mail attachment to these found E-mail addresses using the following attachment filenames:
document.pif
thank_you.pif
her_details.pif
funny_guy.pif
wicked_screensaver.scr
movie0045.pif
torvil.pif
Q723523_W9X_WXP_x86_EN.exe
It will also search for files on the infected computer whose filenames contain ".DOC", ".DOT", ".RTF", ".XLS", ".JPG", ".BMP", ".GIF", or ".PNG" and will append ".pif" to those filenames and use them as E-mail attachment names.
The E-mail subjects and bodies may contain the following:
congratulations!
darling.
eager to see you.
honey!
how are you ?
lets be friends!
meeting notice.
please try again
questionnaire
some questions?!
sos!
your password!
Thank you!
Details
My details
Approved
Your application
Your details
See the attached file for details.
I have a document attached, which should solve your problems.
I have a file attached, which should help you to solve all your problems.
The file is the original mail
here's a nice Picture
Have a look the Pic attached !!
here's the document
here's the document you requested
Here's the document that you had requested.
<security@microsoft.com>
<security@securityfocus.com>
Use this patch immediately !
Next Critical Vulnerability Patch!
You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023.
It's important that you apply the fix now since we estimate the Buffer Overflow is at a Critical Level.
Sincerely Yours The
Security Team
