VirusW32/Surila.C!tr
Analysis
The W32/MyDoom virus is responsible for the installation of this Trojan on systems. This is the list of web sites storing a copy of the Trojan -
http://www.llc.unibo.it/guestbook/temp/
http://www.surrenderzeeland.nl/guestbook/temp/
http://www.mercyships.de/html/content/guestbook/temp/
http://www.hiw.kuleuven.ac.be/psychoanalyse/guestbook/temp/
http://www.ach.ch/Livredor/temp/
http://vugs.geog.uu.nl/guestbook/temp/
http://www.planetboredom.net/bullshit/sucks/temp/
The Trojan is stored as a file named "temp###.dat" where "###" is a 3 digit number. More than likely, a hacker compromised the websites and the Trojan was uploaded unknown to the website administrator.
Once downloaded and run, it will copy itself to the Windows folder or Startup folder as "dx32cxlp.exe".
The Trojan can function as both an HTTP proxy and SMTP relay.
Loading At Windows Startup
The Trojan will register itself to run at each Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"devsec" = C:\WINNT\SYSTEM32\dx32cxlp.exe
The Trojan creates other registry entries as a marker the system has been compromised -
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\
"mutexname" = qERKAAC
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\
"vers" = 4D, 00, 01, 00
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |