Win32.Ivrol.A@mm
MEDIUM
LOW
75,783 bytes
(N/A)
Symptoms
- Presence of the next file in Windows folder:
svchost.exe (75,783 bytes)
spool??.exe or smss??.exe (75,783 bytes)
where ? may be any letter
- Presence of the next registry keys:
KKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\"Service Host"="C:\WINDOWS\??????.exe"
KKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\"Service Host"="C:\WINDOWS\svchost.exe"
where ??????.exe points to a copy of the virus and may be spool??.exe or smss??.exe (eg: spooloj.exe, spoolew.exe, smsstp.exe, smsscw.exe)
- Presence in Windows folder of a subfolder mstorvil.
{21EC2020-3AEA-1069-A2DD-08002B30309D} containing copies or the virus.
Removal instructions:
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.
Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender
Antiivrol-en.exe tool does the following:
it detects all the known Win32.Ivrol versions;
it kills the process from memory;
it deletes the files infected with Win32.Ivrol;
it repairs the Windows registry.
You may also need to restore the affected files.
For preventing this virus to use the
IFRAME exploit apply the
patch Microsoft released
for Internet Explorer 5.0 and 5.5.
Analyzed By
Patrick Vicol BitDefender Virus Researcher
Technical Description:
This mass mailer mainly spreads through e-mail. It features it's own SMTP engine and retrieves
the default SMTP address from Internet Account Manager.
It may use IFRAME when sending e-mails.
It also attempts to spread through E-Donkey and Kazaa.
It's spreading using this format:
Subject (may be one of the following):
-------
congratulations!
darling.
eager to see you.
honey!
how are you ?
lets be friends!
meeting notice.
please try again
questionnaire
some questions?!
sos!
your password!
Thank you!
Details
My details
Approved
Your application
Your details
Body (may be one of the following):
----
See the attached file for details.
I have a document attached,
which should solve your problems
I have a file attached,
which should help you to solve all your problems
Attachment (may be one of the following):
----------
document.pif
thank_you.pif
her_details.pif
funny_guy.pif
wicked_screensaver.scr
movie0045.pif
torvil.pif
Q723523_W9X_WXP_x86_EN.exe
Also, it may use for spreading the next e-mail templates (note: Subject may also contain: "Re:" or "Fw:")
%RANDOM% is a random e-mail address or filename (for attachments).
-----------------------------
Subject:
Undeliverable mail
or
Returned mail--
Body:
The following mail can't be sent to %RANDOM%
The file is the original mail
-----------------------------
Subject:
Hi, %RANDOM% here's a nice Picture
Body:
Hi, %RANDOM%
Have a look the Pic attached !!
Attachment:
%RANDOM%.pif
-----------------------------
Subject:
Hi, %RANDOM% here's the document
Body:
Hi, %RANDOM%
Attachment:
%RANDOM%.pif
-----------------------------
Subject:
Hi, %RANDOM% here's the document you requested
Body:
Hi, %RANDOM%
Here's the document that you had requested.
Attachment
%RANDOM%.pif
-----------------------------
From:
security@microsoft.com
or
security@securityfocus.com
Subject:
Use this patch immediately !
or
Next Critical Vulnerability Patch!
Body:
Hello %RANDOM%,
You should apply this fix which solves the newest
Internet Explorer Vulnerability described in MS05-023.
It's important that you apply the fix now since
we estimate the Buffer Overflow is at a Critical Level.
Sincerely Yours The %RANDOM% Security Team
Attachment:
Q723523_W9X_WXP_x86_EN.exe
-----------------------------
Once run, the virus will do the following:
1. Creates "Torvil" mutex
2. Create the aforementioned registry keys and entries.
3. Searches for email addresses in .ODS .MMF .NCH .DBX .MAI .MHT .WAB .MBX .TBB .EML .DAT .TXT .HTM .DOC .RTF .DOT .ABD
.HTML .PHP .MBOX and in \"INBOX\" folder.
4. Searches for and creates lists and file counts with:
- all the files found (for indexing purposes)
- all the documents found (.DOC .DOT .RTF .XLS)
- all the archives found (.RAR .ZIP .ACE)
- all the image files found (.JPG .BMP .GIF .PNG)
It will use the filenames later to send attachments fakeing these filenames.
5. Creates mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder and sets its attributes to hidden, and also shares this folder in Kazaa, Edonkey and Xolox.
6. Approximatively each 24 seconds attempts to:
- send itself through e-mail
- create a copy of the virus in mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder
The copies of the worm placed in this folder may be:
ACDSee32 v2.41 Crack.exe
Adobe Encore DVD 1.0 Crack.exe
BearShare Pro v4.0.1 Crack.exe
BestCrypt v7.08.1 Crack.exe
Cultures 3 Northland Crack.exe
Colin McRae Rally 4 Crack.exe
DivX Pro 5.1 Crack.exe
DVD X Studios CloneDVD 1.25 Crack.exe
Dragons Lair 3D Multilanguage Crack.exe
Empereur L'Empire du Milieu - Mise a Jour Crack.exe
EasyRecovery v1.1.01 Crack.exe
iMesh v3.0b Ad Remover Crack.exe
Norton AntiVirus 2004 Crack.exe
Star Wars Jedi Knight Jedi Academy Crack.exe
Tony Hawks Pro Skater 4 Multilanguage NoCD Crack.exe
You dont know Jack 4 Crack.exe
Zone Alarm Pro 4.0 Crack.exe
The virus also creates copies of itself using for filenames archives found and for extension combinations of .pif and .exe
Example: if it finds archive "documents.zip" it may create copies of itself as "documents.zip.pif" or "documents.exe" or "documents.zip.pif.pif" or "documents.zip.pif.pif.exe"
7. After a period of time, it jumps back to step 3, to see if new files were added.
8. These IPs can also be found inside the virus:
152.163.159.232 193.189.233.45 149.174.211.8 193.189.231.2 64.12.51.132 216.109.116.17
SHARE
THIS ON