TDS3 does NOT detect the TORVIL worm?

Discussion in 'Trojan Defence Suite' started by mooseboy84, Feb 2, 2005.

Thread Status:
Not open for further replies.
  1. mooseboy84

    mooseboy84 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    i do not think your software does. mind you i am using an evaluation copy demo i downloaded from the site, but i found something Very suspicious that TDS-3 did not detect.

    ill first give a bit of a background. i leave my comp on 24/7, so about a week ago i come to my computer and it says. "nortons has encounted a problem and needs to be uninstalled". so then i go to uninstall nortons, and thus begins my problems. nortons wouldnt uninstall correctly. so then i go to manually delete the registry keys it made... but i discover i cant use regedit, because "registry editing has been disabled by administrator". i have been using this system since novemeber when i reformated, but i couldnt recall using regedit since then.

    when i saw that message, i Instantly thought of a virus. i had read on this forum about operation guard, or some viruses shutting down anti virus software.

    i looked at my Task Manager, and the Only thing that looked out of place was something called Spoolwp.exe. i have been trying to find info on it using google, but nothing came up. i got very suspicious about the file because it would be using 30mb or so of memory, which is HIGH for something i couldnt find anything about on google.

    so to make a Loong story short. a few days ago i ran a Full system scan with tsd3 and nothing came up. i got a VBS script that same day, and Unlocked my registry.

    this evening since ive had some time, i decided to search through my registry for SPOOLWP.EXE to see what i could find. well as it turns out, i found several times and under something called TORVIL. that sounded strange so i searched google and it was a WORM. oddly enough, this is one of the first things that comes up about it.
    http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=37367

    i tried to delete the spoolwp.exe file by changing the name. now when i startup something pops up saying windows could not locate spoolwp.exe when i restart. anyway, here is the key.

    so does TDS-3 detect the TORVIL worm? o_O
     

    Attached Files:

  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi TDS3 does detect the worm Torvil.D. You may have a variant. If you can find the file please zip it up and send to submit@diamondcs.com.au

    You can manually download new definitions (radius database) from here: http://tds.diamondcs.com.au/index.php?page=update Pleas follow the instructions on tha page.

    After getting the latest update please do a full scan in safe mode, safe mode can be reached by pressing F8 a few times after your BIOS loads and before windows starts to load. In scan control enable all the scan options and then scan all physical drives. This is a very deep scan and will take some time.

    HTH Pilli
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    mooseboy84,
    You might want to consider getting a registry monitor, a good one would have alerted you to the entry being added

    There are several threads on wilders discussing the merits of the different ones
    Have a look at Registry Monitor Comparison
    Another thread that might be useful is Security that you use and its purpose
     
  4. controler

    controler Guest

    I wonder if Wintasks 5.0 would find it and show all it's DLLs?

    Bruce
     
  5. controler

    controler Guest

    Copies itself to %Windir%<filename>.exe.

    where <filename> is one of the following:

    spool<random letters>
    SMSS<random letters>

    For example, the worm may copy itself as C:\Winnt\spoolax.exe.


    Repeatedly opens and closes a command window with the following characteristics:

    Title: <filename>
    Message: <current date and time> xExec %Windir%<filename>.exe


    Creates the file, C:\Torvil.log, which is a text file. This file is not viral by itself, therefore, Symantec antivirus products do not detect this file. Manually delete it.


    Adds the value:

    "Service Host"="%Windir%<filename>.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you restart Windows.


    Adds the value:

    "Shell"="Explorer.exe %Windir%<filename>.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


    Creates the subkey:

    OneLevelDeeper\TorvilDB

    under the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    explorer\Advanced

    and adds the following value to the subkey:

    "TORVIL"="<filename>.exe"


    Creates a Mutex "Torvil", which allows only one instance of the worm to execute in memory.


    Registers its process as a service if the current operating system is Windows 9x.


    Runs itself as the service, "Torvil," if the current operating system is Window NT/2000/XP.


    Terminates any of the following processes:

    _AVP32
    _AVPCC
    _AVPM
    ACKWIN32
    ATRACK
    ADVXDWIN
    AGENTW
    ALERTSVC
    ALOGSERV
    ALOGSERV
    AMON9X
    ANTIVIR
    ANTI-TROJAN
    AVPUPD
    AVWIN95
    AVPTC
    AVE32
    ANTS
    APVXDWIN
    APVXDWIN
    ATCON
    ATUPDATER
    ATWATCH
    AUTODOWN
    AUTOTRACE
    AVCONSOL
    AVGCC32
    AVGCTRL
    AVGSERV
    AVGSERV9
    AVGW
    AVKPOP
    AVKSERV
    AVKSERVICE
    AVKWCTL9
    AVP
    AVP32
    AVPM
    AVSCHED32
    AVSYNMGR
    AVWINNT
    AVXMONITOR9X
    AVXMONITORNT
    AVXQUAR
    AVXQUAR
    AVXW
    BLACKD
    BLACKICE
    CDP
    CFGWIZ
    CLAW95
    CCEVTMGR
    CCPWDSVC
    CCSETMGR
    CLAW95CF
    CFINET
    CLEANER
    CLEANER3
    CMGRDIAN
    CONNECTIONMONITOR
    CPD
    CPDClNT
    CTRL
    DEFALERT
    DEFSCANGUI
    DEFWATCH
    DOORS
    DVP95
    DVP95_0
    EFPEADM
    ETRUSTCIPE
    EVPN
    EXPERT
    FIREWAL
    F-AGNT95
    FAMEH32
    FCH32
    FIH32
    FNRB32
    F-PROT
    F-PROT95
    FP-WIN
    FRW
    FSAA
    FSAV32
    FSGK32
    FSM32
    FSMA32
    FSMB32
    F-STOPW
    GBMENU
    GBPOLL
    GBPOLL
    GENERICS
    GUARD
    GUARDDOG
    IAMAPP
    IAMSERV
    IAMSTATS
    ICLOAD95
    ICLOADNT
    ICMON
    ICSUPP95
    ICSUPPNT
    IFACE
    IOMON98
    ISRV95
    JEDI
    LDNETMON
    LDPROMENU
    LDSCAN
    LOCKDOWN
    LOCKDOWN2000
    LUALL
    LUCOMSERVER
    LUSPT
    MCAGENT
    MCMNHDLR
    MCSHIELD
    MCTOOL
    MCUPDATE
    MCVSRTE
    MCVSSHLD
    MGAVRTCL
    MGAVRTE
    MGHTML
    MINILOG
    MONITOR
    NAVRUNR
    MOOLIVE
    MPFAGENT
    MPFSERVICE
    MPFTRAY
    MWATCH
    NAV
    AUTO-PROTECT
    NAVAP
    NAVAPSVC
    NAVAPW32
    NAVENGNAVEX15
    N32SCANW
    NAVENGNAVEX15
    NAVLU32
    NAVW32
    NAVWNT
    NDD32
    NEOWATCHLOG
    NETUTILS
    NISSERV
    NISUM
    NMAIN
    NOD32
    NORMIST
    NOTSTART
    NPROTECT
    NPSCHECK
    NPSSVC
    NSCHED32
    NSPLUGIN
    NTRTSCAN
    NTVDM
    NRESQ32
    NTXcONFIG
    Nui
    NUPGRADE
    NVC95
    NVSVC32
    NWSERVICE
    NWTOOL16
    NSCHEDNT
    PADMIN
    PAVPROXY
    PCCIOMON
    PCCNTMON
    PCCWIN97
    PCCWIN98
    PCSCAN
    PERSFW
    PERSWF
    POP3TRAP
    PCFWALLICON
    POPROXY
    PORTMONITOR
    PROCESSMONITOR
    PROGRAMAUDITOR
    PVIEW95
    RAPAPP
    RAV7
    RAV7WIN
    REALMON
    RESCUE
    PCCMAIN
    RTVSCN95
    RULAUNCH
    TMNTSRV
    SBSERV
    SAFEWEB
    SAVSCAN
    SCAN32
    SCRSCAN
    SMC
    SPHINX
    SPYXX
    SS3EDIT
    SWEEP95
    SWEEPNET
    SWEEPSRV
    SWNETSUP
    SymProxySvc
    SYMTRAY
    TAUMON
    TDS2-98
    TDS2-NT
    TCA
    TCM
    TDS-3
    TFAK
    VBCMSERV
    VBCONS
    VET32
    VET95
    VETTRAY
    VIR-HELP
    VPC32
    VPTRAY
    VSCHED
    VSECOMR
    VSHWIN32
    VSMAIN
    VSMON
    VSSTAT
    WATCHDOG
    WEBSCANX
    WEBTRAP
    WGFE95
    WIMMUN32
    WRADMIN
    WRCTRL
    WRCTRL
    ZAPRO
    ZONEALARM
     
Thread Status:
Not open for further replies.