Virus Database

Backdoor.Win32.Surila.k

Description Backdoor.Win32.Surila.k

Surila is a Trojan backdoor. The program is a Windows PE EXE file packed with Obsidium and written in Visual C++. The packed file size is 244 KB and the unpacked size is approximately 413 KB.
Installation
Upon being launched, Surila copies itself into the Windows system folder under the name 'dx32cxlp.exe' and creates the following system registry keys:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
devsec = %System%dx32cxlp.exe

[HKLMSOFTWAREMicrosoftInternet Explorermutexname]
with 'mutexname' being a random value.
The first key supports automatic launch following every reboot, and the second is a mutex that ensures self-identification in the system.
Surila then copies itself into the StartUp folder and creates a file named dx32cxconf.ini in the Windows system folder.
Surila creates a service named dx32cxel: %Systemdx32cxel.sys.
In order to gain full access to the Internet, Surila registers itself in the Windows FirewallPolicy, thereby becoming a legal program with full Internet rights.
Payload
Surila installs a proxy server on a random port to process HTTP and SMTP traffic. The infected machine is now open for illegal use, in a spammer bot network, for instance.
Communication with the client module
Surila attempts to contact the following IRC servers to receive commands:
62.241.53.2:4242
211.233.41.235:4661
81.23.250.167:4242
193.19.227.24:4661
66.98.192.99:3306
207.44.222.47:4661
213.158.119.104:4661
207.44.206.27:4661
62.241.53.4:4242
216.127.94.107:4661
67.15.18.45:3306
62.241.53.15:4242
64.246.54.12:3306
62.241.53.16:4242
211.214.161.107:4661
67.15.18.57:3306
66.98.144.100:4242
69.50.187.210:4661
66.111.43.80:4242
212.199.125.36:8080
66.90.68.2:6565
62.241.53.17:4242
69.50.228.50:4646
81.23.250.169:4242
69.57.132.8:4661
4.246.18.98:4661
218.78.211.62:4661
207.44.142.33:4242
64.246.16.11:4661
205.209.176.220:4661
80.64.179.46:4242
65.75.161.70:4661
Other
Surila changes the following lines in the hosts file in order to try and block antivirus database updates and access to antivirus vendors' websites:
127.0.0.1 www.avp.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.symantec.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.networkassociates.com
127.0.0.1 us.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 avp.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 kaspersky.com
127.0.0.1 www.trendmicro.com

Check other viruses! Be aware! Use Antiviral Software

Gluck.761

Description Gluck.761

It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM-files that are executed. The virus deletes the CHKLIST.MS file. If the name of the executed program is *WEB.*, the virus terminates execution, and displays the message:
Error reading fat!

At midnight the virus "shakes" the screen and displays the message:
You iave a ¨GLUCK¨ !!!

Glue.4000.a

Description Glue.4000.a

It is a very dangerous memory resident multipartite virus. It writes itself to the end of .COM and .EXE files and to the MBR of the hard drive and boot sectors of floppy disks. The virus is encrypted in files. While accessing to infected disk sectors the virus calls its stealth routine.
When an infected file is executed, the virus hooks INT 21h and stays memory resident. It then infects the files that are executed or opened. Before infecting a file, the virus infects current disk (MBR in case of hard drive, or boot sector in case of floppy disk). While infecting a disk the virus overwrites the boot or MBR sector, then writes its code and original boot/MBR sector to the disk sectors that are then marked as bad ones. Reinfection of disks and files is possible. In some cases the virus corrupts the floppy disk boot sector while infecting. The virus also has other bugs and may halt the system while infecting a file.
On FindFirst/Next DOS calls the virus calls its stealth routine and shows decreased length of infected files. When BACKUP.COM or CHKDSK.COM utilities are run, the virus disables that routine.
While loading from infected disk the virus hooks INT 13h, waits for DOS loading process, then hooks INT 21h and INT 9 (keyboard). INT 9 handler contains a counter and increases it on any keystroke. When this counter reaches 10000, the virus starts to disable writing to disk (INT 13h) without any error message or return code. That will corrupt the files while writing to them.
The variants of this virus contain the text strings:
"Glue.4000.a":
COMEXEBACKUP.COMCHKDSK.COM
The Digital Glue (C) 1990,1991 by Eastern Digital
1900 Timi$oara
THE END

"Glue.4000.b":
COMEXEBACKUP.COMCHKDSK.COM
Lipici (C) 1991 by Eastern Digital
1900 Timi$oara

Home