W32/Surila.D!tr

description-logoAnalysis

The W32/MyDoom virus is responsible for the installation of this Trojan on systems. The downloader attempts to retrieve the remote access Trojan from the IP address 64.40.98.94 as the file "icon.exe".
Once downloaded and run, it will copy itself to the Windows folder or Startup folder as "iexp1orer.exe".
The Trojan can function as both an HTTP proxy and SMTP relay.
Loading At Windows Startup
The Trojan will register itself to run at each Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"iestart" = C:\WINNT\SYSTEM32\iexp1orer.exe
The Trojan creates other registry entries -
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\
"tza" = D4, 07, 09, 00, 02, 00, 0E, 00, 00, 00, 23, 00, 22, 00, 47, 01
While the Trojan is running in memory, it is referenced by the Mutex name "123Mutex321".

recommended-action-logoRecommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR