Archive Helmet Icon Archive A Reconstructed © MegaSecurity Database

I Feel Lucky I Feel Very Lucky

Surila (f)

Copyright © MegaSecurity

By ?

Informations
Author ?
Family Surila
Category Remote Access
Version Surila (f)
Language Microsoft Visual C++, compressed with UPX
Additional Information
The backdoor is installed by the MyDoom worm

dropped files:
c:\WINDOWS\iptcp32s.exe         size: 114.688 bytes  (Backdoor.Surila.d)
c:\WINDOWS\system32\sfxprc.dll  size: 69.632 bytes   (Backdoor.Surila.plugin.a)

port: 3607 TCP

added to registry:
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\Programmable
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj\CurVer
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1\CLSID
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCP32SEC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tcp32sec\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tcp32sec\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCP32SEC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcp32sec\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcp32sec\Security

added startup:
c:\windows\win.ini, [windows] "load"
value: iptcp32s.exe 

tested on Windows XP
December 22, 2004

This archive is an almost-complete reconstruction of the legendary Mega Security (also known as Kobayashi), a premier 90s-era "Trojan Database" where malware authors once showcased their work. After a decade offline, the site was brought back in August 2024 by its original creator, MasterRat, who authorized the Malware Gallery to host this modernized, searchable version of the collection. While the original site remains available for those seeking a nostalgic, old-school experience, we are proud to continue its legacy here. Full credit and thanks go to MasterRat and the retired Mega Security staff for their years of dedicated work in cataloging these historical samples.