Troj/Surila-J

Please follow the instructions for removing Trojans.

Troj/Surila-J is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Surila-J includes functionality to access the internet and communicate with a remote server via HTTP. Troj/Surila-J is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Surila-J includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Surila-J copies itself to:

<Windows folder>\mwfibpx.exe
<Windows folder>\smss.exe

and creates the following files:

<Windows folder>\dodrrr.exe
<Windows folder>\msfig.dat (empty)

The file dodrrr.exe is detected as Troj/Surila-D.

The following registry entries are created to run mwfibpx.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ms_anti_spywarebxp
<Windows folder>\mwfibpx.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ms_anti_spywarebxp
<Windows folder>\mwfibpx.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ms_anti_spywarebxp
<Windows folder>\mwfibpx.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Internet Explorer
mttrnmbxp
yTHOOBL

HKCU\Software\Microsoft\Internet Explorer
veerbxp
40040

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
DisableRegistryTools
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
DisableRegistryTools
0

HKLM\SOFTWARE\Microsoft\Ole
WINRUN
mwfibpx.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINRUN
mwfibpx.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d

The Trojan may also modify or disable the System File Check (SFC) utility located in <Windows system folder>\sfc_os.dll.