Troj/Surila-E is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Surila-E includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/Surila-E copies itself to:
<Windows folder>\csrss.exe
<Windows folder>\msupdate.exe
and creates a file <Windows folder>\dodrrr.exe detected as Troj/Surila-D.
Troj/Surila-E modifies the system file sfc_os.dll in an attempt to disable the Windows System File Checker. The Trojan may do this in order to modify further system files.
The following registry entries are created to run msupdate.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msupdate
<Windows folder>\msupdate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msupdate
<Windows folder>\msupdate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
msupdate
<Windows folder>\msupdate.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer
mtxqwnm
nVKHFQU
HKCU\Software\Microsoft\Internet Explorer
veer
40040
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
DisableRegistryTools
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
DisableRegistryTools
0
HKLM\SOFTWARE\Microsoft\Ole
WINRUN
msupdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINRUN
msupdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d