Worm.Torvil.b

中文名稱：

病毒類型：蠕蟲

影響系統：Win9x/NT/2000/XP

病毒行為:

編寫工具: Delphi,Aspack壓縮

A.電子郵件

B.猜弱口令連線遠程機器

C.利用ICQ，mIRC，KaZaA共享

系統修改:

A.在%SystemRoot%下複製兩份病毒副本：

SMSS??.exe或Spool??.exe(其中??為任意字母,)

svchost.exe

B.在%SystemRoot%下創建目錄:mstorvil,並在其下複製多份病毒副本:

NetObjects Fusion v7.5

Macromedia Studio MX 2004 AllApps

BearShare Pro 4.3.0

Borland C++ BuilderX 1.0 Enterprise Edition

Microsoft Office System Professional V2003

Halo FLT

Nero Burning ROM v6.0.0.19 Ultra Edition

TVTool v8.31

NHL 2004

Norton SystemWorks 2004

McAfee Personal Firewall Plus 2004

iMesh 4.2 Ad Remover

Norton AntiVirus 2004

Norton Antispam 2004

Sophos AntiVirus v3.74

Macromedia Contribute 2

McAfee VirusScan Home Edition 2004

McAfee SpamKiller 2004

Keygen.exe

Crack.exe

C.創建如下檔案:

C: orvil.log

message.dat

message.htm

msg.zip

D.在註冊表主鍵:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

下創建鍵值:

"Service Host"="%SystemRoot%SMSS??.exe"

在註冊表主鍵:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

下修改如下鍵值:

"Shell"="Explorer.exe SMSS??.exe"

創建如下子鍵及其下各項:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedOneLevelDeeperTorvilDB

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_TORVIL

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTORVIL(創建服務"TORVIL",路徑為:"%SystemRootSMSS??.exe -s")

A.運行時會出現一個標題為"Microsoft RPC-DCOM Fix2"的視窗

B.反覆打開關閉一個DOS視窗,顯示: "%當前時間% xExec %SystemRoot%SMSS??.exe"

C.會結束以下進程:

_AVP32

_AVPCC

_AVPM

ACKWIN32

ATRACK

ADVXDWIN

AGENTW

ALERTSVC

ALOGSERV

ALOGSERV

AMON9X

ANTIVIR

ANTI-TROJAN

AVPUPD

AVWIN95

AVPTC

AVE32

ANTS

APVXDWIN

APVXDWIN

ATCON

ATUPDATER

ATWATCH

AUTODOWN

AUTOTRACE

AVCONSOL

AVGCC32

AVGCTRL

AVGSERV

AVGSERV9

AVGW

AVKPOP

AVKSERV

AVKSERVICE

AVKWCTL9

AVP

AVP32

AVPM

AVSCHED32

AVSYNMGR

AVWINNT

AVXMONITOR9X

AVXMONITORNT

AVXQUAR

AVXQUAR

AVXW

BLACKD

BLACKICE

CDP

CFGWIZ

CLAW95

CCEVTMGR

CCPWDSVC

CLAW95CF

CFINET

CLEANER

CLEANER3

CMGRDIAN

CONNECTIONMONITOR

CPD

CPDClNT

CTRL

DEFALERT

DEFSCANGUI

DEFWATCH

DOORS

DVP95

DVP95_0

EFPEADM

ETRUSTCIPE

EVPN

EXPERT

FIREWAL

F-AGNT95

FAMEH32

FCH32

FIH32

FNRB32

F-PROT

F-PROT95

FP-WIN

FRW

FSAA

FSAV32

FSGK32

FSM32

FSMA32

FSMB32

F-STOPW

GBMENU

GBPOLL

GBPOLL

GENERICS

GUARD

GUARDDOG

IAMAPP

IAMSERV

IAMSTATS

ICLOAD95

ICLOADNT

ICMON

ICSUPP95

ICSUPPNT

IFACE

IOMON98

ISRV95

JEDI

LDNETMON

LDPROMENU

LDSCAN

LOCKDOWN

LOCKDOWN2000

LUALL

LUCOMSERVER

LUSPT

MCAGENT

MCMNHDLR

MCSHIELD

MCTOOL

MCUPDATE

MCVSRTE

MCVSSHLD

MGAVRTCL

MGAVRTE

MGHTML

MINILOG

MONITOR

NAVRUNR

MOOLIVE

MPFAGENT

MPFSERVICE

MPFTRAY

MWATCH

NAV

AUTO-PROTECT

NAVAP

NAVAPSVC

NAVAPW32

NAVENGNAVEX15

N32SCANW

NAVENGNAVEX15

NAVLU32

NAVW32

NAVWNT

NDD32

NEOWATCHLOG

NETUTILS

NISSERV

NISUM

NMAIN

NOD32

NORMIST

NOTSTART

NPROTECT

NPSCHECK

NPSSVC

NSCHED32

NSPLUGIN

NTRTSCAN

NTVDM

NRESQ32

NTXcONFIG

Nui

NUPGRADE

NVC95

NWSERVICE

NWTOOL16

NSCHEDNT

PADMIN

PAVPROXY

PCCIOMON

PCCNTMON

PCCWIN97

PCCWIN98

PCSCAN

PERSFW

PERSWF

POP3TRAP

PCFWALLICON

POPROXY

PORTMONITOR

PROCESSMONITOR

PROGRAMAUDITOR

PVIEW95

RAPAPP

RAV7

RAV7WIN

REALMON

RESCUE

PCCMAIN

RTVSCN95

RULAUNCH

TMNTSRV

SBSERV

SAFEWEB

SAVSCAN

SCAN32

SCRSCAN

SMC

SPHINX

SPYXX

SS3EDIT

SWEEP95

SWEEPNET

SWEEPSRV

SWNETSUP

SymProxySvc

SYMTRAY

TAUMON

TDS2-98

TDS2-NT

TCA

TCM

TFAK

VBCMSERV

VBCONS

VET32

VET95

VETTRAY

VIR-HELP

VPC32

VPTRAY

VSCHED

VSECOMR

VSHWIN32

VSMAIN

VSMON

VSSTAT

WATCHDOG

WEBSCANX

WEBTRAP

WGFE95

WIMMUN32

WRADMIN

WRCTRL

WRCTRL

ZAPRO

ZONEALARM

主題:

congratulations!

darling

Do not release, its the internal rls!

Documents

Pr0n!

Undeliverable mail--

Returned mail--

here s a nice Picture

New Internal Rls...

here s the document

here s the document you requested

here s the archive you requested

第一部分可能是:

Hi,

Hello,

Re:

Fw:

第二部分可能是

See the attached file for details.

I have a document attached,

which should solve your problems.

The release file is attached...

Send me your comments.

Real outtakes from Sex in the City!!

Adult content!!! Use with parental advisory =)

Have a look the Pic attached !!

dOnT gIvE iT aWaY...

iTs cOnFiDeNtIaL =)

here|s the document that you had requested.

That|s the answer to all your questions.

Have a look at the attatchment.

附屬檔案可能是:

yourwin.bat

probsolv.doc.pif

flt-xb5.rar.pif

document.doc.pif

sexinthecity.scr

torvil.pif

win$hitrulez.pif

sexy.jpg

flt-ixb23.zip

readit.doc.pif

document1.doc.pif

attachment.zip

message.zip

試圖通過弱口令連線遠程計算機,若成功則複製病毒副本"Reminder.exe"到遠程計算機的%SystemRoot%目錄中.