Worm.Torvil.b

编辑:一场网互动百科 时间:2019-12-11 22:17:21
编辑 锁定
本词条缺少概述名片图,补充相关内容使词条更完整,还能快速升级,赶紧来编辑吧!
中文名
Worm.Torvil.b
病毒别名
I-Worm.Torvil.b[AVP]
处理时间
2004-02-05
威胁级别

Worm.Torvil.b简介

编辑
中文名称:
病毒类型:蠕虫
影响系统:Win9x/NT/2000/XP
病毒行为:
编写工具: Delphi,Aspack压缩

Worm.Torvil.b传染条件:

A.电子邮件
B.猜弱口令连接远程机器
C.利用ICQ,mIRC,KaZaA共享

Worm.Torvil.b发作条件:

系统修改:
A.在%SystemRoot%下复制两份病毒副本:
SMSS??.exe或Spool??.exe(其中??为任意字母,)
svchost.exe
B.在%SystemRoot%下创建目录:mstorvil,并在其下复制多份病毒副本:
文件名的前半部分可能为:
NetObjects Fusion v7.5
Macromedia Studio MX 2004 AllApps
BearShare Pro 4.3.0
Borland C++ BuilderX 1.0 Enterprise Edition
Microsoft Office System Professional V2003
Halo FLT
Nero Burning ROM v6.0.0.19 Ultra Edition
TVTool v8.31
NHL 2004
Norton SystemWorks 2004
McAfee Personal Firewall Plus 2004
iMesh 4.2 Ad Remover
Norton AntiVirus 2004
Norton Antispam 2004
Sophos AntiVirus v3.74
Macromedia Contribute 2
McAfee VirusScan Home Edition 2004
McAfee SpamKiller 2004
后半部分可能为
Keygen.exe
Crack.exe
C.创建如下文件:
C: orvil.log
message.dat
message.htm
msg.zip
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
下创建键值:
"Service Host"="%SystemRoot%SMSS??.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
下修改如下键值:
"Shell"="Explorer.exe SMSS??.exe"
创建如下子键及其下各项:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedOneLevelDeeperTorvilDB
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_TORVIL
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTORVIL(创建服务"TORVIL",路径为:"%SystemRootSMSS??.exe -s")

Worm.Torvil.b发作现象:

A.运行时会出现一个标题为"Microsoft RPC-DCOM Fix2"的窗口
B.反复打开关闭一个DOS窗口,显示: "%当前时间% xExec %SystemRoot%SMSS??.exe"
C.会结束以下进程:
_AVP32
_AVPCC
_AVPM
ACKWIN32
ATRACK
ADVXDWIN
AGENTW
ALERTSVC
ALOGSERV
ALOGSERV
AMON9X
ANTIVIR
ANTI-TROJAN
AVPUPD
AVWIN95
AVPTC
AVE32
ANTS
APVXDWIN
APVXDWIN
ATCON
ATUPDATER
ATWATCH
AUTODOWN
AUTOTRACE
AVCONSOL
AVGCC32
AVGCTRL
AVGSERV
AVGSERV9
AVGW
AVKPOP
AVKSERV
AVKSERVICE
AVKWCTL9
AVP
AVP32
AVPM
AVSCHED32
AVSYNMGR
AVWINNT
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVXQUAR
AVXW
BLACKD
BLACKICE
CDP
CFGWIZ
CLAW95
CCEVTMGR
CCPWDSVC
CLAW95CF
CFINET
CLEANER
CLEANER3
CMGRDIAN
CONNECTIONMONITOR
CPD
CPDClNT
CTRL
DEFALERT
DEFSCANGUI
DEFWATCH
DOORS
DVP95
DVP95_0
EFPEADM
ETRUSTCIPE
EVPN
EXPERT
FIREWAL
F-AGNT95
FAMEH32
FCH32
FIH32
FNRB32
F-PROT
F-PROT95
FP-WIN
FRW
FSAA
FSAV32
FSGK32
FSM32
FSMA32
FSMB32
F-STOPW
GBMENU
GBPOLL
GBPOLL
GENERICS
GUARD
GUARDDOG
IAMAPP
IAMSERV
IAMSTATS
ICLOAD95
ICLOADNT
ICMON
ICSUPP95
ICSUPPNT
IFACE
IOMON98
ISRV95
JEDI
LDNETMON
LDPROMENU
LDSCAN
LOCKDOWN
LOCKDOWN2000
LUALL
LUCOMSERVER
LUSPT
MCAGENT
MCMNHDLR
MCSHIELD
MCTOOL
MCUPDATE
MCVSRTE
MCVSSHLD
MGAVRTCL
MGAVRTE
MGHTML
MINILOG
MONITOR
NAVRUNR
MOOLIVE
MPFAGENT
MPFSERVICE
MPFTRAY
MWATCH
NAV
AUTO-PROTECT
NAVAP
NAVAPSVC
NAVAPW32
NAVENGNAVEX15
N32SCANW
NAVENGNAVEX15
NAVLU32
NAVW32
NAVWNT
NDD32
NEOWATCHLOG
NETUTILS
NISSERV
NISUM
NMAIN
NOD32
NORMIST
NOTSTART
NPROTECT
NPSCHECK
NPSSVC
NSCHED32
NSPLUGIN
NTRTSCAN
NTVDM
NRESQ32
NTXcONFIG
Nui
NUPGRADE
NVC95
NWSERVICE
NWTOOL16
NSCHEDNT
PADMIN
PAVPROXY
PCCIOMON
PCCNTMON
PCCWIN97
PCCWIN98
PCSCAN
PERSFW
PERSWF
POP3TRAP
PCFWALLICON
POPROXY
PORTMONITOR
PROCESSMONITOR
PROGRAMAUDITOR
PVIEW95
RAPAPP
RAV7
RAV7WIN
REALMON
RESCUE
PCCMAIN
RTVSCN95
RULAUNCH
TMNTSRV
SBSERV
SAFEWEB
SAVSCAN
SCAN32
SCRSCAN
SMC
SPHINX
SPYXX
SS3EDIT
SWEEP95
SWEEPNET
SWEEPSRV
SWNETSUP
SymProxySvc
SYMTRAY
TAUMON
TDS2-98
TDS2-NT
TCA
TCM
TFAK
VBCMSERV
VBCONS
VET32
VET95
VETTRAY
VIR-HELP
VPC32
VPTRAY
VSCHED
VSECOMR
VSHWIN32
VSMAIN
VSMON
VSSTAT
WATCHDOG
WEBSCANX
WEBTRAP
WGFE95
WIMMUN32
WRADMIN
WRCTRL
WRCTRL
ZAPRO
ZONEALARM
D.发送病毒邮件
主题:
congratulations!
darling
Do not release, its the internal rls!
Documents
Pr0n!
Undeliverable mail--
Returned mail--
here s a nice Picture
New Internal Rls...
here s the document
here s the document you requested
here s the archive you requested
正文:
第一部分可能是:
Hi,
Hello,
Re:
Fw:
第二部分可能是
See the attached file for details.
I have a document attached,
which should solve your problems.
The release file is attached...
Send me your comments.
Real outtakes from Sex in the City!!
Adult content!!! Use with parental advisory =)
Have a look the Pic attached !!
dOnT gIvE iT aWaY...
iTs cOnFiDeNtIaL =)
here|s the document that you had requested.
That|s the answer to all your questions.
Have a look at the attatchment.
附件可能是:
yourwin.bat
probsolv.doc.pif
flt-xb5.rar.pif
document.doc.pif
sexinthecity.scr
torvil.pif
win$hitrulez.pif
sexy.jpg
flt-ixb23.zip
readit.doc.pif
document1.doc.pif
attachment.zip
message.zip

Worm.Torvil.b特别说明:

编辑
试图通过弱口令连接远程计算机,若成功则复制病毒副本"Reminder.exe"到远程计算机的%SystemRoot%目录中.
词条标签:
计算机学 科技 病毒