Virus Database

Kemerovo.a

Description Kemerovo.a

These are dangerous nonmemory resident parasitic viruses. They search for .COM files of the current directory, then write themselves to the end of the file, and Jmp-Virus instructions (four bytes: XCHG AX,DX; JMP Loc_Virus) to the file header. Depending on the system timer these viruses might reboot the computer. They contain the string ".COM". On an attempt to infect they open the files and might left them opened.

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Win32.Surila.k

Description Backdoor.Win32.Surila.k

Surila is a Trojan backdoor. The program is a Windows PE EXE file packed with Obsidium and written in Visual C++. The packed file size is 244 KB and the unpacked size is approximately 413 KB.
Installation
Upon being launched, Surila copies itself into the Windows system folder under the name 'dx32cxlp.exe' and creates the following system registry keys:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
devsec = %System%dx32cxlp.exe

[HKLMSOFTWAREMicrosoftInternet Explorermutexname]
with 'mutexname' being a random value.
The first key supports automatic launch following every reboot, and the second is a mutex that ensures self-identification in the system.
Surila then copies itself into the StartUp folder and creates a file named dx32cxconf.ini in the Windows system folder.
Surila creates a service named dx32cxel: %Systemdx32cxel.sys.
In order to gain full access to the Internet, Surila registers itself in the Windows FirewallPolicy, thereby becoming a legal program with full Internet rights.
Payload
Surila installs a proxy server on a random port to process HTTP and SMTP traffic. The infected machine is now open for illegal use, in a spammer bot network, for instance.
Communication with the client module
Surila attempts to contact the following IRC servers to receive commands:
62.241.53.2:4242
211.233.41.235:4661
81.23.250.167:4242
193.19.227.24:4661
66.98.192.99:3306
207.44.222.47:4661
213.158.119.104:4661
207.44.206.27:4661
62.241.53.4:4242
216.127.94.107:4661
67.15.18.45:3306
62.241.53.15:4242
64.246.54.12:3306
62.241.53.16:4242
211.214.161.107:4661
67.15.18.57:3306
66.98.144.100:4242
69.50.187.210:4661
66.111.43.80:4242
212.199.125.36:8080
66.90.68.2:6565
62.241.53.17:4242
69.50.228.50:4646
81.23.250.169:4242
69.57.132.8:4661
4.246.18.98:4661
218.78.211.62:4661
207.44.142.33:4242
64.246.16.11:4661
205.209.176.220:4661
80.64.179.46:4242
65.75.161.70:4661
Other
Surila changes the following lines in the hosts file in order to try and block antivirus database updates and access to antivirus vendors' websites:
127.0.0.1 www.avp.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.symantec.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.networkassociates.com
127.0.0.1 us.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 avp.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 kaspersky.com
127.0.0.1 www.trendmicro.com

Backdoor.Win32.Whisper.a

Description Backdoor.Win32.Whisper.a
This program gives a remote malicious user access to the victim machine. The program itself is a Windows PE EXE file 20480 bytes in size. Installation Once launched, the backdoor copies itself to the Windows system directory as "rundll32.exe": %System% undll32.exe It then registers this fileall

Home