Win32.Ivrol.A@mm( N/A )
SYMPTOMS: - Presence of the next file in Windows folder:svchost.exe (75,783 bytes) spool??.exe or smss??.exe (75,783 bytes) where ? may be any letter - Presence of the next registry keys: KKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"Service Host\"=\"C:\\\\WINDOWS\\\\??????.exe\" KKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\"Service Host\"=\"C:\\\\WINDOWS\\\\svchost.exe\" where ??????.exe points to a copy of the virus and may be spool??.exe or smss??.exe (eg: spooloj.exe, spoolew.exe, smsstp.exe, smsscw.exe) - Presence in Windows folder of a subfolder mstorvil. {21EC2020-3AEA-1069-A2DD-08002B30309D} containing copies or the virus. TECHNICAL DESCRIPTION: This mass mailer mainly spreads through e-mail. It features it\'s own SMTP engine and retrievesthe default SMTP address from Internet Account Manager. It may use IFRAME when sending e-mails. It also attempts to spread through E-Donkey and Kazaa. It\'s spreading using this format: Subject (may be one of the following): ------- congratulations! darling. eager to see you. honey! how are you ? lets be friends! meeting notice. please try again questionnaire some questions?! sos! your password! Thank you! Details My details Approved Your application Your details Body (may be one of the following): ---- See the attached file for details. I have a document attached, which should solve your problems I have a file attached, which should help you to solve all your problems Attachment (may be one of the following): ---------- document.pif thank_you.pif her_details.pif funny_guy.pif wicked_screensaver.scr movie0045.pif torvil.pif Q723523_W9X_WXP_x86_EN.exe Also, it may use for spreading the next e-mail templates (note: Subject may also contain: \"Re:\" or \"Fw:\") %RANDOM% is a random e-mail address or filename (for attachments). ----------------------------- Subject: Undeliverable mail or Returned mail-- Body: The following mail can\'t be sent to %RANDOM% The file is the original mail ----------------------------- Subject: Hi, %RANDOM% here\'s a nice Picture Body: Hi, %RANDOM% Have a look the Pic attached !! Attachment: %RANDOM%.pif ----------------------------- Subject: Hi, %RANDOM% here\'s the document Body: Hi, %RANDOM% Attachment: %RANDOM%.pif ----------------------------- Subject: Hi, %RANDOM% here\'s the document you requested Body: Hi, %RANDOM% Here\'s the document that you had requested. Attachment %RANDOM%.pif ----------------------------- From: security@microsoft.com or security@securityfocus.com Subject: Use this patch immediately ! or Next Critical Vulnerability Patch! Body: Hello %RANDOM%, You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023. It\'s important that you apply the fix now since we estimate the Buffer Overflow is at a Critical Level. Sincerely Yours The %RANDOM% Security Team Attachment: Q723523_W9X_WXP_x86_EN.exe ----------------------------- Once run, the virus will do the following: 1. Creates \"Torvil\" mutex 2. Create the aforementioned registry keys and entries. 3. Searches for email addresses in .ODS .MMF .NCH .DBX .MAI .MHT .WAB .MBX .TBB .EML .DAT .TXT .HTM .DOC .RTF .DOT .ABD .HTML .PHP .MBOX and in \"INBOX\" folder. 4. Searches for and creates lists and file counts with: - all the files found (for indexing purposes) - all the documents found (.DOC .DOT .RTF .XLS) - all the archives found (.RAR .ZIP .ACE) - all the image files found (.JPG .BMP .GIF .PNG) It will use the filenames later to send attachments fakeing these filenames. 5. Creates mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder and sets its attributes to hidden, and also shares this folder in Kazaa, Edonkey and Xolox. 6. Approximatively each 24 seconds attempts to: - send itself through e-mail - create a copy of the virus in mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder The copies of the worm placed in this folder may be: ACDSee32 v2.41 Crack.exe Adobe Encore DVD 1.0 Crack.exe BearShare Pro v4.0.1 Crack.exe BestCrypt v7.08.1 Crack.exe Cultures 3 Northland Crack.exe Colin McRae Rally 4 Crack.exe DivX Pro 5.1 Crack.exe DVD X Studios CloneDVD 1.25 Crack.exe Dragons Lair 3D Multilanguage Crack.exe Empereur L\'Empire du Milieu - Mise a Jour Crack.exe EasyRecovery v1.1.01 Crack.exe iMesh v3.0b Ad Remover Crack.exe Norton AntiVirus 2004 Crack.exe Star Wars Jedi Knight Jedi Academy Crack.exe Tony Hawks Pro Skater 4 Multilanguage NoCD Crack.exe You dont know Jack 4 Crack.exe Zone Alarm Pro 4.0 Crack.exe The virus also creates copies of itself using for filenames archives found and for extension combinations of .pif and .exe Example: if it finds archive \"documents.zip\" it may create copies of itself as \"documents.zip.pif\" or \"documents.exe\" or \"documents.zip.pif.pif\" or \"documents.zip.pif.pif.exe\" 7. After a period of time, it jumps back to step 3, to see if new files were added. 8. These IPs can also be found inside the virus: 152.163.159.232 193.189.233.45 149.174.211.8 193.189.231.2 64.12.51.132 216.109.116.17 Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you\'ll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender Antiivrol-en.exe tool does the following: You may also need to restore the affected files. For preventing this virus to use the IFRAME exploit apply the patch Microsoft released for Internet Explorer 5.0 and 5.5. ANALYZED BY: Patrick VicolBitDefender Virus Researcher |