W32.HLLW.Torvel.B@mm

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Moderate

Risk Level 2: Low

Printer Friendly Page|Rate this page

Discovered:: October 12, 2003
Updated:: February 13, 2007 12:09:04 PM
Also Known As:: W32.HLLW.Torvil@mm, W32/Torvil@MM [McAfee]
Type:: Worm
Systems Affected:: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.HLLW.Torvel.B@mm is a mass-mailing worm that uses the currently available MAPI program or its own SMTP engine to spread itself. The email has the following characteristics:

Subject
The subject line is one of the following:

congratulations!
darling
Do not release, its the internal rls!
Documents
Pr0n!
Undeliverable mail--
Returned mail--
here¦s a nice Picture
New Internal Rls...
here¦s the document
here¦s the document you requested
here¦s the archive you requested
Your Account at Info@<FakeDomain> has expired.

Attachment
The attachment can be one of the following:

yourwin.bat
probsolv.doc.pif
flt-xb5.rar.pif
document.doc.pif
sexinthecity.scr
torvil.pif
win$hitrulez.pif
sexy.jpg
flt-ixb23.zip
readit.doc.pif
document1.doc.pif
attachment.zip
message.zip
Q723523_W9X_WXP_x86_EN.exe

The worm may spoof the "From:" field of the email.
The worm can copy itself to the network shares that have weak passwords.
This worm also attempts to spread itself through the file-sharing networks, such KaZaA and Xolox, as well as ICQ and mIRC.
This threat is written in the Borland Delphi programming language and is compressed with ASPack.

Note: Definitions dated prior to October 16, 2003 may detect this threat as W32.HLLW.Torvil@mm.