W32/Torvil-B

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Service Host

HKLM\Software\Microsoft\Windows\CurrentVersion\
Advanced\OneLevelDeeper\TorvilDB

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Advanced\OneLevelDeeper\TorvilDB

and delete it if it exists.

Close the registry editor and reboot your computer.

W32/Torvil-B is an email worm that arrives in an email with varying characteristics.

The subject lines used by the worm contain the following words or phrases:

Congratulations!
darling
Do not release, its the internal rls!
Documents
Pr0n!
Undeliverable mail--
Returned mail--
Here's a nice Picture
NewInternal Rls...
here's the document
here's the document you requested
here's the archive you requested
See the attached file for details.
Hello,
Re:
Fw:

The message text used by the worm contains the following:

I have a document attached which should solve your problems.
The release file is attached...
Send me your comments.
Real outtakes from Sex in the City!! Adult content!!! Use with parental
advisory =)
have a look the Pic attached !!
dOnT gIvE iT aWaY... iTs cOnFiDeNtIaL =)
Here's the document that you had requested.
That's the answer to all your questions.
Have a look at the attatchment

The worm may arrive as an attachment with one of the following filenames:

yourwin.bat
probsolv.doc.pif
flt-xb5.rar.pif
document.doc.pif
sexinthecity.scr
torvil.pif
win$hitrulez.pif
sex.jpg
flt-ixb23.zip
readit.doc.pif
document1.doc.pif
attachment.zip

Additionally the worm may arrive in an email with the following characteristics:

Subject line: Who should read this bulletin: Users running Microsoft Windows
Message text: You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023.
It's Important that you apply this fix now since we estimate the Buffer
Overflow is at a Critical Level
Sincerely Yours
Attached file: Q723523_W9X_WXP_x86_EN.exe

When W32/Torvil-B is first executed a dialog box is displayed containing the following text "Press "Patch" to install the RPC-DCOM Fix2". The computer will be infected whether or not the user clicks on the button titled "Patch".

W32/Torvil-B drops three copies of itself to the Windows folder. One of the copies has the filename svchost.exe, the other two copies have a filename that begins spool or SMSS. Additionally the two files message.dat and message.htm may be created in the Windows folder and contain base64 encoded copies of the worm.

The following registry entry will be set so that the worm is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Service Host

The following registry entries are created and should be deleted:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Advanced\OneLevelDeeper\TorvilDB
HKCU\Software\Microsoft\Windows\CurrentVersion\
Advanced\OneLevelDeeper\TorvilDB

The Mircrosoft Outlook Express stationery file will be set to the file message.htm dropped in the Windows folder, in an attempt to force Outlook Express to send the worm with every email sent by the infected user.

On NT based systems W32/Torvil-B will attempt to copy itself to network shares with weak administrator passwords. A service will also be installed on these system with the name TORVIL.

W32/Torvil-B attempts to send copies of itself to a number of newsgroups.