wipe-deletion-erasure-purge


Backdoor.Win32.Surila.k

Backdoor.Win32.Surila.k

CyberScrub AntiVirus
Research Bank

Surila is a Trojan backdoor. The program is a Windows PE EXE file packed with Obsidium and written in Visual C++. The packed file size is 244 KB and the unpacked size is approximately 413 KB.

Installation

Upon being launched, Surila copies itself into the Windows system folder under the name 'dx32cxlp.exe' and creates the following system registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  devsec = %System%\dx32cxlp.exe

[HKLM\SOFTWARE\Microsoft\Internet Explorer\mutexname]

with 'mutexname' being a random value.

The first key supports automatic launch following every reboot, and the second is a mutex that ensures self-identification in the system.

Surila then copies itself into the StartUp folder and creates a file named dx32cxconf.ini in the Windows system folder.

Surila creates a service named dx32cxel: %System\dx32cxel.sys.

In order to gain full access to the Internet, Surila registers itself in the Windows FirewallPolicy, thereby becoming a legal program with full Internet rights.

Payload

Surila installs a proxy server on a random port to process HTTP and SMTP traffic. The infected machine is now open for illegal use, in a spammer bot network, for instance.

Communication with the client module

Surila attempts to contact the following IRC servers to receive commands:

62.241.53.2:4242
211.233.41.235:4661
81.23.250.167:4242
193.19.227.24:4661
66.98.192.99:3306
207.44.222.47:4661
213.158.119.104:4661
207.44.206.27:4661
62.241.53.4:4242
216.127.94.107:4661
67.15.18.45:3306
62.241.53.15:4242
64.246.54.12:3306
62.241.53.16:4242
211.214.161.107:4661
67.15.18.57:3306
66.98.144.100:4242
69.50.187.210:4661
66.111.43.80:4242
212.199.125.36:8080
66.90.68.2:6565
62.241.53.17:4242
69.50.228.50:4646
81.23.250.169:4242
69.57.132.8:4661
4.246.18.98:4661
218.78.211.62:4661
207.44.142.33:4242
64.246.16.11:4661
205.209.176.220:4661
80.64.179.46:4242
65.75.161.70:4661
Other

Surila changes the following lines in the hosts file in order to try and block antivirus database updates and access to antivirus vendors' websites:

127.0.0.1       www.avp.com
127.0.0.1       www.viruslist.com
127.0.0.1       viruslist.com
127.0.0.1       www.symantec.com
127.0.0.1       networkassociates.com
127.0.0.1       secure.nai.com
127.0.0.1       downloads1.kaspersky-labs.com
127.0.0.1       downloads2.kaspersky-labs.com
127.0.0.1       downloads3.kaspersky-labs.com
127.0.0.1       downloads4.kaspersky-labs.com
127.0.0.1       downloads-us1.kaspersky-labs.com
127.0.0.1       downloads-eu1.kaspersky-labs.com
127.0.0.1       kaspersky-labs.com
127.0.0.1       www.networkassociates.com
127.0.0.1       us.mcafee.com
127.0.0.1       f-secure.com
127.0.0.1       avp.com
127.0.0.1       www.sophos.com
127.0.0.1       sophos.com
127.0.0.1       www.ca.com
127.0.0.1       ca.com
127.0.0.1       securityresponse.symantec.com
127.0.0.1       symantec.com
127.0.0.1       mast.mcafee.com
127.0.0.1       my-etrust.com
127.0.0.1       www.kaspersky.com
127.0.0.1       www.f-secure.com
127.0.0.1       dispatch.mcafee.com
127.0.0.1       update.symantec.com
127.0.0.1       nai.com
127.0.0.1       www.nai.com
127.0.0.1       liveupdate.symantec.com
127.0.0.1       customer.symantec.com
127.0.0.1       rads.mcafee.com
127.0.0.1       trendmicro.com
127.0.0.1       liveupdate.symantecliveupdate.com
127.0.0.1       www.mcafee.com
127.0.0.1       mcafee.com
127.0.0.1       viruslist.com
127.0.0.1       www.my-etrust.com
127.0.0.1       download.mcafee.com
127.0.0.1       updates.symantec.com
127.0.0.1       kaspersky.com
127.0.0.1       www.trendmicro.com

Check out if we have free removal tool for this virus


CyberScrub AntiVirus provides state of the art security protection for five years- at one low price. Our award winning technology ensures protection against viruses, worms and trojans backed by top customer support and value.
 
Five Year Cost Comparison
Product Initial Cost Yearly Subscription X Four Years Total
Norton 2004 AntiVirus $49.95* $29.95 $119.80 $169.75
McAfee VirusScan $49.95* $19.95 $79.80 $129.75
CyberScrub AntiVirus $49.95 Included No Additional Cost $49.95
*All prices MSRP as published on respective sites.



It is only a matter of time before a virus, worm or Trojan horse wrecks havoc on your important data. Important files, records, family pictures- all at risk. Some dangerous programs can even ruin your hard drive beyond repair.

CyberScrub AntiVirus offers the most effective protection from all known and unknown viruses.

CyberScrub AntiVirus is powered by a unique integrated technology for virus detection, based on principles of multi-generation heuristic analysis. This allows the program to protect you from suspect “viral behavior”. This highly effective methodology repelled all attacks of each “I LOVEYOU’ viral variation without any additional antivirus database updates. No other technology, including Norton, Trend, or McAfee was able to accomplish this.

CyberScrub AntiVirus is powerful, yet its exceptional ease of use and installation make it acceptable for beginner to pro


CyberScrub Antivirus constantly scans your hard drive and files to identify, clean and destroy infected objects. With updates available every three hours, 24 hours a day, 365 days a year, you can count on CyberScrub to protect your valued data.

CyberScrub AntiVirus
Lifetime Edition

"For the Life of Your Computer"
Save $10 Now!
Limited Time

 

Backdoor.Win32.Surila.k

Symantec Warns Of Flaw In Antivirus Program. More>>

CNN Legend Lynne Russell reports on CyberScrub AntiVirus for Tech Headline News.


















 
 

delete,deletion, file deletion, Internet clean up,privacy, HIPAA, Internet privacy, cookies, erase, erasure, shredder, wipe, overwrite, purge, deletion, security, file wipe, data destruction