I-Worm/Torvil.a

病毒类型：网络蠕虫

危害等级：*

影响平台：Win9X/2000/XP/NT/Me/2003

I-Worm/Torvil.a通过Microsoft Outlook、Outlook Express和文件共享网络进行传播。

传播过程及特征：

1.复制自身：

%Windir%\\Spoolxx.exe

%windir%\\SMSSxx.exe

%windir%\\svchost.exe

2.修改注册表：

[KEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]

"Service Host" = "%windir%\\spoolxx.exe"

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\OneLevelDeeper]

"Service Host" = "%windir%\\spoolxx.exe"

[KEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce]

"Service Host" = "%windir%\\svchost.exe"

[SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]

"Shell" = "explorer.exe spoolxx.exe"

3.复制自身到ed2k-it、Xolox、Kazaa等文件共享软件程序的共享文件夹以及%windir%\\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}文件夹下，文件名为：

ACDSee32 v2.41 Cracker.exe

Adobe Encore DVD 1.0 Cracker.exe

BearShare Pro v4.0.1 Cracker.exe

BestCrypt v7.08.1 Cracker.exe

Cultures 3 Northland Cracker.exe

Colin McRae Rally 4 Cracker.exe

DivX Pro 5.1 Cracker.exe

DVD X Studios CloneDVD 1.25 Cracker.exe

Dragons Lair 3D Multilanguage Cracker.exe

Empereur L Cracker.exe

Empire du Milieu - Mise a Jour Cracker.exe

EasyRecovery v1.1.01 Cracker.exe

iMesh v3.0b Ad Remover Cracker.exe

Norton AntiVirus 2004 Cracker.exe

Star Wars Jedi Knight Jedi Academy Cracker.exe

Tony Hawks Pro Skater 4 Multilanguage NoCD Cracker.exe

You dont know Jack 4 Cracker.exe

Zone Alarm Pro 4.0 Cracker.exe

4.搜索INBOX HTML MBOX等类型文件，用以发现合法的邮件地址。用自带的SMTP引擎或利用邮件帐号获取的SMTP服务器，发送自身到上述地址，邮件特征：

主题：变化

正文：

Hello,

You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023. It's important that you apply the fix now since we estimate the Buffer Overflow is at a Critical Level.

Sincerely Yours

The Security Team

附件：下列之一

document.pif

thank_you.pif

her_details.pif

funny_guy.pif

wicked_screensaver.scr

movie0045.pif

torvil.pif

Q723523_W9X_WXP_x86_EN.exe