病毒名称(中文):
病毒别名:
I-Worm.Torvil.b[AVP]
威胁级别:
★☆☆☆☆
病毒类型:
蠕虫病毒
病毒长度:
65536
影响系统:
Win9xWinNTWin2000WinXP
病毒行为:
编写工具:Delphi,Aspack压缩
传染条件:
A.电子邮件
B.猜弱口令连接远程机器
C.利用ICQ,mIRC,KaZaA共享
发作条件:
系统修改:
A.在%SystemRoot%下复制两份病毒副本:
SMSS??.exe或Spool??.exe(其中??为任意字母,)
svchost.exe
B.在%SystemRoot%下创建目录:mstorvil,并在其下复制多份病毒副本:
文件名的前半部分可能为:
NetObjectsFusionv7.5
MacromediaStudioMX2004AllApps
BearSharePro4.3.0
BorlandC++BuilderX1.0EnterpriseEdition
MicrosoftOfficeSystemProfessionalV2003
HaloFLT
NeroBurningROMv6.0.0.19UltraEdition
TVToolv8.31
NHL2004
NortonSystemWorks2004
McAfeePersonalFirewallPlus2004
iMesh4.2AdRemover
NortonAntiVirus2004
NortonAntispam2004
SophosAntiVirusv3.74
MacromediaContribute2
McAfeeVirusScanHomeEdition2004
McAfeeSpamKiller2004
后半部分可能为
Keygen.exe
Crack.exe
C.创建如下文件:
C:orvil.log
message.dat
message.htm
msg.zip
D.在注册表主键:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
下创建键值:
"ServiceHost"="%SystemRoot%SMSS??.exe"
在注册表主键:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon
下修改如下键值:
"Shell"="Explorer.exeSMSS??.exe"
创建如下子键及其下各项:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedOneLevelDeeperTorvilDB
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_TORVIL
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTORVIL(创建服务"TORVIL",路径为:"%SystemRootSMSS??.exe-s")
发作现象:
A.运行时会出现一个标题为"MicrosoftRPC-DCOMFix2"的窗口
B.反复打开关闭一个DOS窗口,显示:"%当前时间%xExec%SystemRoot%SMSS??.exe"
C.会结束以下进程:
_AVP32
_AVPCC
_AVPM
ACKWIN32
ATRACK
ADVXDWIN
AGENTW
ALERTSVC
ALOGSERV
ALOGSERV
AMON9X
ANTIVIR
ANTI-TROJAN
AVPUPD
AVWIN95
AVPTC
AVE32
ANTS
APVXDWIN
APVXDWIN
ATCON
ATUPDATER
ATWATCH
AUTODOWN
AUTOTRACE
AVCONSOL
AVGCC32
AVGCTRL
AVGSERV
AVGSERV9
AVGW
AVKPOP
AVKSERV
AVKSERVICE
AVKWCTL9
AVP
AVP32
AVPM
AVSCHED32
AVSYNMGR
AVWINNT
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVXQUAR
AVXW
BLACKD
BLACKICE
CDP
CFGWIZ
CLAW95
CCEVTMGR
CCPWDSVC
CCSETMGR
CLAW95CF
CFINET
CLEANER
CLEANER3
CMGRDIAN
CONNECTIONMONITOR
CPD
CPDClNT
CTRL
DEFALERT
DEFSCANGUI
DEFWATCH
DOORS
DVP95
DVP95_0
EFPEADM
ETRUSTCIPE
EVPN
EXPERT
FIREWAL
F-AGNT95
FAMEH32
FCH32
FIH32
FNRB32
F-PROT
F-PROT95
FP-WIN
FRW
FSAA
FSAV32
FSGK32
FSM32
FSMA32
FSMB32
F-STOPW
GBMENU
GBPOLL
GBPOLL
GENERICS
GUARD
GUARDDOG
IAMAPP
IAMSERV
IAMSTATS
ICLOAD95
ICLOADNT
ICMON
ICSUPP95
ICSUPPNT
IFACE
IOMON98
ISRV95
JEDI
LDNETMON
LDPROMENU
LDSCAN
LOCKDOWN
LOCKDOWN2000
LUALL
LUCOMSERVER
LUSPT
MCAGENT
MCMNHDLR
MCSHIELD
MCTOOL
MCUPDATE
MCVSRTE
MCVSSHLD
MGAVRTCL
MGAVRTE
MGHTML
MINILOG
MONITOR
NAVRUNR
MOOLIVE
MPFAGENT
MPFSERVICE
MPFTRAY
MWATCH
NAV
AUTO-PROTECT
NAVAP
NAVAPSVC
NAVAPW32
NAVENGNAVEX15
N32SCANW
NAVENGNAVEX15
NAVLU32
NAVW32
NAVWNT
NDD32
NEOWATCHLOG
NETUTILS
NISSERV
NISUM
NMAIN
NOD32
NORMIST
NOTSTART
NPROTECT
NPSCHECK
NPSSVC
NSCHED32
NSPLUGIN
NTRTSCAN
NTVDM
NRESQ32
NTXcONFIG
Nui
NUPGRADE
NVC95
NVSVC32
NWSERVICE
NWTOOL16
NSCHEDNT
PADMIN
PAVPROXY
PCCIOMON
PCCNTMON
PCCWIN97
PCCWIN98
PCSCAN
PERSFW
PERSWF
POP3TRAP
PCFWALLICON
POPROXY
PORTMONITOR
PROCESSMONITOR
PROGRAMAUDITOR
PVIEW95
RAPAPP
RAV7
RAV7WIN
REALMON
RESCUE
PCCMAIN
RTVSCN95
RULAUNCH
TMNTSRV
SBSERV
SAFEWEB
SAVSCAN
SCAN32
SCRSCAN
SMC
SPHINX
SPYXX
SS3EDIT
SWEEP95
SWEEPNET
SWEEPSRV
SWNETSUP
SymProxySvc
SYMTRAY
TAUMON
TDS2-98
TDS2-NT
TCA
TCM
TDS-3
TFAK
VBCMSERV
VBCONS
VET32
VET95
VETTRAY
VIR-HELP
VPC32
VPTRAY
VSCHED
VSECOMR
VSHWIN32
VSMAIN
VSMON
VSSTAT
WATCHDOG
WEBSCANX
WEBTRAP
WGFE95
WIMMUN32
WRADMIN
WRCTRL
WRCTRL
ZAPRO
ZONEALARM
D.发送病毒邮件
主题:
congratulations!
darling
Donotrelease,itstheinternalrls!
Documents
Pr0n!
Undeliverablemail--
Returnedmail--
heresanicePicture
NewInternalRls...
heresthedocument
heresthedocumentyourequested
heresthearchiveyourequested
正文:
第一部分可能是:
Hi,
Hello,
Re:
Fw:
第二部分可能是
Seetheattachedfilefordetails.
Ihaveadocumentattached,
whichshouldsolveyourproblems.
Thereleasefileisattached...
Sendmeyourcomments.
RealouttakesfromSexintheCity!!
Adultcontent!!!Usewithparentaladvisory=)
HavealookthePicattached!!
dOnTgIvEiTaWaY...
iTscOnFiDeNtIaL=)
here|sthedocumentthatyouhadrequested.
That|stheanswertoallyourquestions.
Havealookattheattatchment.
附件可能是:
yourwin.bat
probsolv.doc.pif
flt-xb5.rar.pif
document.doc.pif
sexinthecity.scr
torvil.pif
win$hitrulez.pif
sexy.jpg
flt-ixb23.zip
readit.doc.pif
document1.doc.pif
attachment.zip
message.zip
Q723523_W9X_WXP_x86_EN.exe
非凡说明:
试图通过弱口令连接远程计算机,若成功则复制病毒副本"Reminder.exe"到远程计算机的%SystemRoot%目录中.
