high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | December 2005 (4.00) |
| Protection available since | 4 November 2005 21:44:53 (GMT) |
| Last updated | 5 November 2005 11:38:40 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing Troj/Surila-E.
More Information
Troj/Surila-E is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Surila-E includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/Surila-E copies itself to:
<Windows folder>\csrss.exe
<Windows folder>\msupdate.exe
and creates a file <Windows folder>\dodrrr.exe detected as Troj/Surila-D.
Troj/Surila-E modifies the system file sfc_os.dll in an attempt to disable the Windows System File Checker. The Trojan may do this in order to modify further system files.
The following registry entries are created to run msupdate.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msupdate
<Windows folder>\msupdate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msupdate
<Windows folder>\msupdate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
msupdate
<Windows folder>\msupdate.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer
mtxqwnm
nVKHFQU
HKCU\Software\Microsoft\Internet Explorer
veer
40040
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
DisableRegistryTools
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
DisableRegistryTools
0
HKLM\SOFTWARE\Microsoft\Ole
WINRUN
msupdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINRUN
msupdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
|
