Surila (f)

Copyright © MegaSecurity

By ?


Informations
Author ?
Family Surila
Category Remote Access
Version Surila (f)
Language Microsoft Visual C++, compressed with UPX
Additional Information
The backdoor is installed by the MyDoom worm

dropped files:
c:\WINDOWS\iptcp32s.exe         size: 114.688 bytes  (Backdoor.Surila.d)
c:\WINDOWS\system32\sfxprc.dll  size: 69.632 bytes   (Backdoor.Surila.plugin.a)

port: 3607 TCP

added to registry:
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\Programmable
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj\CurVer
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1\CLSID
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCP32SEC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tcp32sec\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tcp32sec\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP32SEC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcp32sec\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcp32sec\Security

added startup:
c:\windows\win.ini, [windows] "load"
value: iptcp32s.exe 

tested on Windows XP
December 22, 2004

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.