W32/Torvil-A

Please follow the instructions for removing worms.

If problems persist please contact technical support.

W32/Torvil-A is an email worm that arrives in an email with varying characteristics.

The subject lines used by the worm contain the following words or phrases:

Congratulations!
darling
Do not release, its the internal rls!
Documents
Pr0n!
Undeliverable mail--
Returned mail--
Here's a nice Picture
NewInternal Rls...
here's the document
here's the document you requested
here's the archive you requested
See the attached file for details.
Hello,
Re:
Fw:

The message text used by the worm contain the following:
I have a document attached, which should solve your problems.
The release file is attached...
Send me your comments.
Real outtakes from Sex in the City!! Adult content!!! Use with parental
advisory =)
have a look the Pic attached !!
dOnT gIvE iT aWaY... iTs cOnFiDeNtIaL =)
Here's the document that you had requested.
That's the answer to all your questions.
Have a look at the attatchment

The worm may arrive as an attachment with one of the following filenames:

yourwin.bat
probsolv.doc.pif
flt-xb5.rar.pif
document.doc.pif
sexinthecity.scr
torvil.pif
win$hitrulez.pif
sex.jpg
flt-ixb23.zip
readit.doc.pif
document1.doc.pif
attachment.zip

Additionally the worm may arrive in an email with the following characteristics:

Subject line: Who should read this bulletin: Users running Microsoft Windows

Message text: You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023.
It's Important that you apply this fix now since we estimate the Buffer
Overflow is at a Critical Level
Sincerely Yours

Attached file: Q723523_W9X_WXP_x86_EN.exe

When W32/Torvil-A is first executed a dialog box is displayed containing the following text "Press "Patch" to install the RPC-DCOM Fix2". The computer will be infected whether or not the user clicks on the button titled "Patch".

W32/Torvil-A drops threee copies of itself to the Windows folder. One of the copies has the filename svchost.exe, the other two copies have a filename that begins spool or SMSS. Additionally the two files message.dat and message.htm are also created in the Windows folder and contain base64 encoded copies of the worm.

The Mircrosoft Outlook Express stationery file will be set to the file message.htm dropped in the Windows folder, in an attempt to force Outlook Express to send the worm with every email sent by the infected user.

W32/Torvil-A attempts to send copies of itself to a number of newsgroups. W32/Torvil-A is an email worm that arrives in an email with varying characteristics.

The subject lines used by the worm contain the following words or phrases:
Congratulations!
darling
Do not release, its the internal rls!
Documents
Pr0n!
Undeliverable mail--
Returned mail--
Here's a nice Picture
NewInternal Rls...
here's the document
here's the document you requested
here's the archive you requested
See the attached file for details.
Hello,
Re:
Fw:

The message text used by the worm contain the following:
I have a document attached, which should solve your problems.
The release file is attached...
Send me your comments.
Real outtakes from Sex in the City!! Adult content!!! Use with parental
advisory =)
have a look the Pic attached !!
dOnT gIvE iT aWaY... iTs cOnFiDeNtIaL =)
Here's the document that you had requested.
That's the answer to all your questions.
Have a look at the attatchment

The worm may arrive as an attachment with one of the following filenames:
yourwin.bat
probsolv.doc.pif
flt-xb5.rar.pif
document.doc.pif
sexinthecity.scr
torvil.pif
win$hitrulez.pif
sex.jpg
flt-ixb23.zip
readit.doc.pif
document1.doc.pif
attachment.zip

Additionally the worm may arrive in an email with the following characteristics:
Subject line: Who should read this bulletin: Users running Microsoft Windows
Message text: You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023.
It's Important that you apply this fix now since we estimate the Buffer
Overflow is at a Critical Level
Sincerely Yours
Attached file: Q723523_W9X_WXP_x86_EN.exe

When W32/Torvil-A is first executed a dialog box is displayed containing the following text "Press "Patch" to install the RPC-DCOM Fix2". The computer will be infected whether or not the user clicks on the button titled "Patch".

W32/Torvil-A drops threee copies of itself to the Windows folder. One of the copies has the filename svchost.exe, the other two copies have a filename that begins spool or SMSS. Additionally the two files message.dat and message.htm are also created in the Windows folder and contain base64 encoded copies of the worm.

The following registry entry will be set so that the worm is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Service Host

The following registry entries are set so that the worm is run when executable files of the type CMD, EXE, SCR, COM, BAT and PIF are executed:

HKCR\cmdfile\shell\open\command
HKCR\exefile\shell\open\command
HKCR\scrfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\piffile\shell\open\command

The file win.ini will be edit to contain a run entry pointing to one of the copies of the worm in the Windows folder.

The following registry keys are created and should be deleted:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Advanced\OneLevelDeeper\TorvilDB
HKCU\Software\Microsoft\Windows\CurrentVersion\
Advanced\OneLevelDeeper\TorvilDB

The Mircrosoft Outlook Express stationery file will be set to the file message.htm dropped in the Windows folder, in an attempt to force Outlook Express to send the worm with every email sent by the infected user.

The registry entry

HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableRegistryTools

will be set to "1" so that files such as regedit.exe can not be used.

W32/Torvil-A attempts to send copies of itself to a number of newsgroups.