Virus Database

Backdoor.Win32.Surila.k

Description Backdoor.Win32.Surila.k

Surila is a Trojan backdoor. The program is a Windows PE EXE file packed with Obsidium and written in Visual C++. The packed file size is 244 KB and the unpacked size is approximately 413 KB.
Installation
Upon being launched, Surila copies itself into the Windows system folder under the name 'dx32cxlp.exe' and creates the following system registry keys:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
devsec = %System%dx32cxlp.exe

[HKLMSOFTWAREMicrosoftInternet Explorermutexname]
with 'mutexname' being a random value.
The first key supports automatic launch following every reboot, and the second is a mutex that ensures self-identification in the system.
Surila then copies itself into the StartUp folder and creates a file named dx32cxconf.ini in the Windows system folder.
Surila creates a service named dx32cxel: %Systemdx32cxel.sys.
In order to gain full access to the Internet, Surila registers itself in the Windows FirewallPolicy, thereby becoming a legal program with full Internet rights.
Payload
Surila installs a proxy server on a random port to process HTTP and SMTP traffic. The infected machine is now open for illegal use, in a spammer bot network, for instance.
Communication with the client module
Surila attempts to contact the following IRC servers to receive commands:
62.241.53.2:4242
211.233.41.235:4661
81.23.250.167:4242
193.19.227.24:4661
66.98.192.99:3306
207.44.222.47:4661
213.158.119.104:4661
207.44.206.27:4661
62.241.53.4:4242
216.127.94.107:4661
67.15.18.45:3306
62.241.53.15:4242
64.246.54.12:3306
62.241.53.16:4242
211.214.161.107:4661
67.15.18.57:3306
66.98.144.100:4242
69.50.187.210:4661
66.111.43.80:4242
212.199.125.36:8080
66.90.68.2:6565
62.241.53.17:4242
69.50.228.50:4646
81.23.250.169:4242
69.57.132.8:4661
4.246.18.98:4661
218.78.211.62:4661
207.44.142.33:4242
64.246.16.11:4661
205.209.176.220:4661
80.64.179.46:4242
65.75.161.70:4661
Other
Surila changes the following lines in the hosts file in order to try and block antivirus database updates and access to antivirus vendors' websites:
127.0.0.1 www.avp.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.symantec.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.networkassociates.com
127.0.0.1 us.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 avp.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 kaspersky.com
127.0.0.1 www.trendmicro.com

Check other viruses! Be aware! Use Antiviral Software

NextGen.2304

Description NextGen.2304

It is a harmless memory resident parasitic stealth virus. It hooks INT 21h, 2Fh and writes itself to the end of EXE files that are accessed. It contains the text strings:
The NextGen Stealth Virus
IL USA, 6-93all(Revision)

Ng.695

Description Ng.695

These are harmless memory resident parasitic viruses. They hook INT 13h, 28h and on INT 28h calls search for COM files of the current directory and write themselves to the beginning of the file. They contain the encrypted text strings:
"Ng.695,706": New Generation v.2.1 (NG-2.1 Ukr) *.COM
"Ng.914": NG-2.2 Ukr *.COM
"Ng.1036": NG-2.3 Ukr

"Ng.695,706" also displays the message:
Bad command or file name

Home