by ?
Written in Microsoft Visual C++, compressed with UPX
Origin: China
The backdoor is installed by the MyDoom worm
dropped files:
c:\WINDOWS\iptcp32s.exe size: 114.688 bytes (Backdoor.Surila.d)
c:\WINDOWS\system32\sfxprc.dll size: 69.632 bytes (Backdoor.Surila.plugin.a)
port: 3607 TCP
added to registry:
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\Programmable
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj\CurVer
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1\CLSID
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCP32SEC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tcp32sec\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tcp32sec\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP32SEC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcp32sec\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcp32sec\Security
added startup:
c:\windows\win.ini, [windows] "load"
value: iptcp32s.exe
tested on Windows XP
December 22, 2004
MegaSecurity