high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | December 2005 (4.00) |
| Protection available since | 19 October 2005 20:55:15 (GMT) |
| Last updated | 28 October 2005 12:55:07 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please contact technical support.
More Information
Troj/Surila-D is a Trojan for the Windows platform.
Troj/Surila-D can modify files, steal passwords and act as a spam proxy. The Trojan can disable security-related processes and modify the Hosts file to block access to security-related websites.
When first run Troj/Surila-D copies itself to:
<Windows>\mwfirebpx.exe
<Windows>\winl0gon.exe
and creates the files <Windows>\msbpx32.dll and <Windows>\dodrrr.exe.
The Trojan may modify the Windows files sfc.dll or sfc_os.dll.
The following registry entries are created to run mwfirebpx.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ms_anti_spywarebxp
<Windows>\mwfirebpx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ms_anti_spywarebxp
<Windows>\mwfirebpx.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
ms_anti_spywarebxp
<Windows>\mwfirebpx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ms_anti_spywarebxp
<Windows>\mwfirebpx.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer
lmnlabxp
aGCMXME
HKCU\Software\Microsoft\Internet Explorer
veerbxp
40036
HKCU\Software\Microsoft\OLE
WINRUN
winl0gon.exe
HKLM\SOFTWARE\Microsoft\Ole
WINRUN
winl0gon.exe
HKCU\System\CurrentControlSet\Control\Lsa
WINRUN
winl0gon.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINRUN
winl0gon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
DisableRegistryTools
0
Troj/Surila-D overwrites the Hosts file with the following lines:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 oxyd.fr
127.0.0.1 pandasoftware.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 t35.com
127.0.0.1 t35.net
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 virustotal.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.oxyd.fr
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.t35.com
127.0.0.1 www.t35.net
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.virustotal.com
|
