Home / malware Win32.Ivrol.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Ivrol.A@mm is also known as N/A.
Explanation :
This mass mailer mainly spreads through e-mail. It features it's own SMTP engine and retrieves
the default SMTP address from Internet Account Manager.
It may use IFRAME when sending e-mails.
It also attempts to spread through E-Donkey and Kazaa.
It's spreading using this format:
Subject (may be one of the following):
-------
congratulations!
darling.
eager to see you.
honey!
how are you ?
lets be friends!
meeting notice.
please try again
questionnaire
some questions?!
sos!
your password!
Thank you!
Details
My details
Approved
Your application
Your details
Body (may be one of the following):
----
See the attached file for details.
I have a document attached,
which should solve your problems
I have a file attached,
which should help you to solve all your problems
Attachment (may be one of the following):
----------
document.pif
thank_you.pif
her_details.pif
funny_guy.pif
wicked_screensaver.scr
movie0045.pif
torvil.pif
Q723523_W9X_WXP_x86_EN.exe
Also, it may use for spreading the next e-mail templates (note: Subject may also contain: "Re:" or "Fw:")
%RANDOM% is a random e-mail address or filename (for attachments).
-----------------------------
Subject:
Undeliverable mail
or
Returned mail--
Body:
The following mail can't be sent to %RANDOM%
The file is the original mail
-----------------------------
Subject:
Hi, %RANDOM% here's a nice Picture
Body:
Hi, %RANDOM%
Have a look the Pic attached !!
Attachment:
%RANDOM%.pif
-----------------------------
Subject:
Hi, %RANDOM% here's the document
Body:
Hi, %RANDOM%
Attachment:
%RANDOM%.pif
-----------------------------
Subject:
Hi, %RANDOM% here's the document you requested
Body:
Hi, %RANDOM%
Here's the document that you had requested.
Attachment
%RANDOM%.pif
-----------------------------
From:
security@microsoft.com
or
security@securityfocus.com
Subject:
Use this patch immediately !
or
Next Critical Vulnerability Patch!
Body:
Hello %RANDOM%,
You should apply this fix which solves the newest
Internet Explorer Vulnerability described in MS05-023.
It's important that you apply the fix now since
we estimate the Buffer Overflow is at a Critical Level.
Sincerely Yours The %RANDOM% Security Team
Attachment:
Q723523_W9X_WXP_x86_EN.exe
-----------------------------
Once run, the virus will do the following:
1. Creates "Torvil" mutex
2. Create the aforementioned registry keys and entries.
3. Searches for email addresses in .ODS .MMF .NCH .DBX .MAI .MHT .WAB .MBX .TBB .EML .DAT .TXT .HTM .DOC .RTF .DOT .ABD
.HTML .PHP .MBOX and in "INBOX" folder.
4. Searches for and creates lists and file counts with:
- all the files found (for indexing purposes)
- all the documents found (.DOC .DOT .RTF .XLS)
- all the archives found (.RAR .ZIP .ACE)
- all the image files found (.JPG .BMP .GIF .PNG)
It will use the filenames later to send attachments fakeing these filenames.
5. Creates mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder and sets its attributes to hidden, and also shares this folder in Kazaa, Edonkey and Xolox.
6. Approximatively each 24 seconds attempts to:
- send itself through e-mail
- create a copy of the virus in mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder
The copies of the worm placed in this folder may be:
ACDSee32 v2.41 Crack.exe
Adobe Encore DVD 1.0 Crack.exe
BearShare Pro v4.0.1 Crack.exe
BestCrypt v7.08.1 Crack.exe
Cultures 3 Northland Crack.exe
Colin McRae Rally 4 Crack.exe
DivX Pro 5.1 Crack.exe
DVD X Studios CloneDVD 1.25 Crack.exe
Dragons Lair 3D Multilanguage Crack.exe
Empereur L'Empire du Milieu - Mise a Jour Crack.exe
EasyRecovery v1.1.01 Crack.exe
iMesh v3.0b Ad Remover Crack.exe
Norton AntiVirus 2004 Crack.exe
Star Wars Jedi Knight Jedi Academy Crack.exe
Tony Hawks Pro Skater 4 Multilanguage NoCD Crack.exe
You dont know Jack 4 Crack.exe
Zone Alarm Pro 4.0 Crack.exe
The virus also creates copies of itself using for filenames archives found and for extension combinations of .pif and .exe
Example: if it finds archive "documents.zip" it may create copies of itself as "documents.zip.pif" or "documents.exe" or "documents.zip.pif.pif" or "documents.zip.pif.pif.exe"
7. After a period of time, it jumps back to step 3, to see if new files were added.
8. These IPs can also be found inside the virus:
152.163.159.232 193.189.233.45 149.174.211.8 193.189.231.2 64.12.51.132 216.109.116.17Last update 21 November 2011
