TDS3 does NOT detect the TORVIL worm?

i do not think your software does. mind you i am using an evaluation copy demo i downloaded from the site, but i found something Very suspicious that TDS-3 did not detect.

ill first give a bit of a background. i leave my comp on 24/7, so about a week ago i come to my computer and it says. "nortons has encounted a problem and needs to be uninstalled". so then i go to uninstall nortons, and thus begins my problems. nortons wouldnt uninstall correctly. so then i go to manually delete the registry keys it made... but i discover i cant use regedit, because "registry editing has been disabled by administrator". i have been using this system since novemeber when i reformated, but i couldnt recall using regedit since then.

when i saw that message, i Instantly thought of a virus. i had read on this forum about operation guard, or some viruses shutting down anti virus software.

i looked at my Task Manager, and the Only thing that looked out of place was something called Spoolwp.exe. i have been trying to find info on it using google, but nothing came up. i got very suspicious about the file because it would be using 30mb or so of memory, which is HIGH for something i couldnt find anything about on google.

so to make a Loong story short. a few days ago i ran a Full system scan with tsd3 and nothing came up. i got a VBS script that same day, and Unlocked my registry.

this evening since ive had some time, i decided to search through my registry for SPOOLWP.EXE to see what i could find. well as it turns out, i found several times and under something called TORVIL. that sounded strange so i searched google and it was a WORM. oddly enough, this is one of the first things that comes up about it.
http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=37367

i tried to delete the spoolwp.exe file by changing the name. now when i startup something pops up saying windows could not locate spoolwp.exe when i restart. anyway, here is the key.

so does TDS-3 detect the TORVIL worm?

 

Hi TDS3 does detect the worm Torvil.D. You may have a variant. If you can find the file please zip it up and send to submit@diamondcs.com.au

You can manually download new definitions (radius database) from here: http://tds.diamondcs.com.au/index.php?page=update Pleas follow the instructions on tha page.

After getting the latest update please do a full scan in safe mode, safe mode can be reached by pressing F8 a few times after your BIOS loads and before windows starts to load. In scan control enable all the scan options and then scan all physical drives. This is a very deep scan and will take some time.

HTH Pilli

 

mooseboy84,
You might want to consider getting a registry monitor, a good one would have alerted you to the entry being added

There are several threads on wilders discussing the merits of the different ones
Have a look at Registry Monitor Comparison
Another thread that might be useful is Security that you use and its purpose

 

I wonder if Wintasks 5.0 would find it and show all it's DLLs?

Bruce

 

Copies itself to %Windir%<filename>.exe.

where <filename> is one of the following:

spool<random letters>
SMSS<random letters>

For example, the worm may copy itself as C:\Winnt\spoolax.exe.


Repeatedly opens and closes a command window with the following characteristics:

Title: <filename>
Message: <current date and time> xExec %Windir%<filename>.exe


Creates the file, C:\Torvil.log, which is a text file. This file is not viral by itself, therefore, Symantec antivirus products do not detect this file. Manually delete it.


Adds the value:

"Service Host"="%Windir%<filename>.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you restart Windows.


Adds the value:

"Shell"="Explorer.exe %Windir%<filename>.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


Creates the subkey:

OneLevelDeeper\TorvilDB

under the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
explorer\Advanced

and adds the following value to the subkey:

"TORVIL"="<filename>.exe"


Creates a Mutex "Torvil", which allows only one instance of the worm to execute in memory.


Registers its process as a service if the current operating system is Windows 9x.


Runs itself as the service, "Torvil," if the current operating system is Window NT/2000/XP.


Terminates any of the following processes:

_AVP32
_AVPCC
_AVPM
ACKWIN32
ATRACK
ADVXDWIN
AGENTW
ALERTSVC
ALOGSERV
ALOGSERV
AMON9X
ANTIVIR
ANTI-TROJAN
AVPUPD
AVWIN95
AVPTC
AVE32
ANTS
APVXDWIN
APVXDWIN
ATCON
ATUPDATER
ATWATCH
AUTODOWN
AUTOTRACE
AVCONSOL
AVGCC32
AVGCTRL
AVGSERV
AVGSERV9
AVGW
AVKPOP
AVKSERV
AVKSERVICE
AVKWCTL9
AVP
AVP32
AVPM
AVSCHED32
AVSYNMGR
AVWINNT
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVXQUAR
AVXW
BLACKD
BLACKICE
CDP
CFGWIZ
CLAW95
CCEVTMGR
CCPWDSVC
CCSETMGR
CLAW95CF
CFINET
CLEANER
CLEANER3
CMGRDIAN
CONNECTIONMONITOR
CPD
CPDClNT
CTRL
DEFALERT
DEFSCANGUI
DEFWATCH
DOORS
DVP95
DVP95_0
EFPEADM
ETRUSTCIPE
EVPN
EXPERT
FIREWAL
F-AGNT95
FAMEH32
FCH32
FIH32
FNRB32
F-PROT
F-PROT95
FP-WIN
FRW
FSAA
FSAV32
FSGK32
FSM32
FSMA32
FSMB32
F-STOPW
GBMENU
GBPOLL
GBPOLL
GENERICS
GUARD
GUARDDOG
IAMAPP
IAMSERV
IAMSTATS
ICLOAD95
ICLOADNT
ICMON
ICSUPP95
ICSUPPNT
IFACE
IOMON98
ISRV95
JEDI
LDNETMON
LDPROMENU
LDSCAN
LOCKDOWN
LOCKDOWN2000
LUALL
LUCOMSERVER
LUSPT
MCAGENT
MCMNHDLR
MCSHIELD
MCTOOL
MCUPDATE
MCVSRTE
MCVSSHLD
MGAVRTCL
MGAVRTE
MGHTML
MINILOG
MONITOR
NAVRUNR
MOOLIVE
MPFAGENT
MPFSERVICE
MPFTRAY
MWATCH
NAV
AUTO-PROTECT
NAVAP
NAVAPSVC
NAVAPW32
NAVENGNAVEX15
N32SCANW
NAVENGNAVEX15
NAVLU32
NAVW32
NAVWNT
NDD32
NEOWATCHLOG
NETUTILS
NISSERV
NISUM
NMAIN
NOD32
NORMIST
NOTSTART
NPROTECT
NPSCHECK
NPSSVC
NSCHED32
NSPLUGIN
NTRTSCAN
NTVDM
NRESQ32
NTXcONFIG
Nui
NUPGRADE
NVC95
NVSVC32
NWSERVICE
NWTOOL16
NSCHEDNT
PADMIN
PAVPROXY
PCCIOMON
PCCNTMON
PCCWIN97
PCCWIN98
PCSCAN
PERSFW
PERSWF
POP3TRAP
PCFWALLICON
POPROXY
PORTMONITOR
PROCESSMONITOR
PROGRAMAUDITOR
PVIEW95
RAPAPP
RAV7
RAV7WIN
REALMON
RESCUE
PCCMAIN
RTVSCN95
RULAUNCH
TMNTSRV
SBSERV
SAFEWEB
SAVSCAN
SCAN32
SCRSCAN
SMC
SPHINX
SPYXX
SS3EDIT
SWEEP95
SWEEPNET
SWEEPSRV
SWNETSUP
SymProxySvc
SYMTRAY
TAUMON
TDS2-98
TDS2-NT
TCA
TCM
TDS-3
TFAK
VBCMSERV
VBCONS
VET32
VET95
VETTRAY
VIR-HELP
VPC32
VPTRAY
VSCHED
VSECOMR
VSHWIN32
VSMAIN
VSMON
VSSTAT
WATCHDOG
WEBSCANX
WEBTRAP
WGFE95
WIMMUN32
WRADMIN
WRCTRL
WRCTRL
ZAPRO
ZONEALARM