My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Ivrol.A@mm

MEDIUM
LOW
75,783 bytes
(N/A)

Symptoms

- Presence of the next file in Windows folder:
svchost.exe (75,783 bytes)
spool??.exe or smss??.exe (75,783 bytes)

where ? may be any letter

- Presence of the next registry keys:
KKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\"Service Host"="C:\WINDOWS\??????.exe"
KKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\"Service Host"="C:\WINDOWS\svchost.exe"

where ??????.exe points to a copy of the virus and may be spool??.exe or smss??.exe (eg: spooloj.exe, spoolew.exe, smsstp.exe, smsscw.exe)

- Presence in Windows folder of a subfolder mstorvil.
{21EC2020-3AEA-1069-A2DD-08002B30309D}
containing copies or the virus.

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender Antiivrol-en.exe tool does the following:
  • it detects all the known Win32.Ivrol versions;

  • it kills the process from memory;

  • it deletes the files infected with Win32.Ivrol;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
    for Internet Explorer 5.0 and 5.5.

    Analyzed By

    Patrick Vicol BitDefender Virus Researcher

    Technical Description:

    This mass mailer mainly spreads through e-mail. It features it's own SMTP engine and retrieves
    the default SMTP address from Internet Account Manager.
    It may use IFRAME when sending e-mails.
    It also attempts to spread through E-Donkey and Kazaa.


    It's spreading using this format:

    Subject (may be one of the following):
    -------
    congratulations!
    darling.
    eager to see you.
    honey!
    how are you ?
    lets be friends!
    meeting notice.
    please try again
    questionnaire
    some questions?!
    sos!
    your password!
    Thank you!
    Details
    My details
    Approved
    Your application
    Your details

    Body (may be one of the following):
    ----
    See the attached file for details.

    I have a document attached,
    which should solve your problems

    I have a file attached,
    which should help you to solve all your problems

    Attachment (may be one of the following):
    ----------
    document.pif
    thank_you.pif
    her_details.pif
    funny_guy.pif
    wicked_screensaver.scr
    movie0045.pif
    torvil.pif
    Q723523_W9X_WXP_x86_EN.exe

    Also, it may use for spreading the next e-mail templates (note: Subject may also contain: "Re:" or "Fw:")
    %RANDOM% is a random e-mail address or filename (for attachments).
    -----------------------------

    Subject:
    Undeliverable mail
    or
    Returned mail--

    Body:
    The following mail can't be sent to %RANDOM%

    The file is the original mail
    -----------------------------

    Subject:
    Hi, %RANDOM% here's a nice Picture

    Body:
    Hi, %RANDOM%

    Have a look the Pic attached !!

    Attachment:
    %RANDOM%.pif
    -----------------------------

    Subject:
    Hi, %RANDOM% here's the document

    Body:
    Hi, %RANDOM%

    Attachment:
    %RANDOM%.pif
    -----------------------------

    Subject:
    Hi, %RANDOM% here's the document you requested

    Body:
    Hi, %RANDOM%

    Here's the document that you had requested.

    Attachment
    %RANDOM%.pif
    -----------------------------

    From:
    security@microsoft.com
    or
    security@securityfocus.com

    Subject:
    Use this patch immediately !
    or
    Next Critical Vulnerability Patch!

    Body:
    Hello %RANDOM%,

    You should apply this fix which solves the newest
    Internet Explorer Vulnerability described in MS05-023.
    It's important that you apply the fix now since
    we estimate the Buffer Overflow is at a Critical Level.

    Sincerely Yours The %RANDOM% Security Team

    Attachment:
    Q723523_W9X_WXP_x86_EN.exe
    -----------------------------

    Once run, the virus will do the following:

    1. Creates "Torvil" mutex

    2. Create the aforementioned registry keys and entries.

    3. Searches for email addresses in .ODS .MMF .NCH .DBX .MAI .MHT .WAB .MBX .TBB .EML .DAT .TXT .HTM .DOC .RTF .DOT .ABD
    .HTML .PHP .MBOX and in \"INBOX\" folder.

    4. Searches for and creates lists and file counts with:

    - all the files found (for indexing purposes)
    - all the documents found (.DOC .DOT .RTF .XLS)
    - all the archives found (.RAR .ZIP .ACE)
    - all the image files found (.JPG .BMP .GIF .PNG)

    It will use the filenames later to send attachments fakeing these filenames.

    5. Creates mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder and sets its attributes to hidden, and also shares this folder in Kazaa, Edonkey and Xolox.

    6. Approximatively each 24 seconds attempts to:
    - send itself through e-mail
    - create a copy of the virus in mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder

    The copies of the worm placed in this folder may be:

    ACDSee32 v2.41 Crack.exe
    Adobe Encore DVD 1.0 Crack.exe
    BearShare Pro v4.0.1 Crack.exe
    BestCrypt v7.08.1 Crack.exe
    Cultures 3 Northland Crack.exe
    Colin McRae Rally 4 Crack.exe
    DivX Pro 5.1 Crack.exe
    DVD X Studios CloneDVD 1.25 Crack.exe
    Dragons Lair 3D Multilanguage Crack.exe
    Empereur L'Empire du Milieu - Mise a Jour Crack.exe
    EasyRecovery v1.1.01 Crack.exe
    iMesh v3.0b Ad Remover Crack.exe
    Norton AntiVirus 2004 Crack.exe
    Star Wars Jedi Knight Jedi Academy Crack.exe
    Tony Hawks Pro Skater 4 Multilanguage NoCD Crack.exe
    You dont know Jack 4 Crack.exe
    Zone Alarm Pro 4.0 Crack.exe

    The virus also creates copies of itself using for filenames archives found and for extension combinations of .pif and .exe
    Example: if it finds archive "documents.zip" it may create copies of itself as "documents.zip.pif" or "documents.exe" or "documents.zip.pif.pif" or "documents.zip.pif.pif.exe"

    7. After a period of time, it jumps back to step 3, to see if new files were added.

    8. These IPs can also be found inside the virus:

    152.163.159.232 193.189.233.45 149.174.211.8 193.189.231.2 64.12.51.132 216.109.116.17