Surila (f) - Malware Gallery

Informations

Author	?
Family	Surila
Category	Remote Access
Version	Surila (f)
Language	Microsoft Visual C++, compressed with UPX
Additional Information

The backdoor is installed by the MyDoom worm

dropped files:
c:\WINDOWS\iptcp32s.exe         size: 114.688 bytes  (Backdoor.Surila.d)
c:\WINDOWS\system32\sfxprc.dll  size: 69.632 bytes   (Backdoor.Surila.plugin.a)

port: 3607 TCP

added to registry:
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\Programmable
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj\CurVer
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1\CLSID
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCP32SEC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tcp32sec\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tcp32sec\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP32SEC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcp32sec\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcp32sec\Security

added startup:
c:\windows\win.ini, [windows] "load"
value: iptcp32s.exe 

tested on Windows XP
December 22, 2004