Home / malware Backdoor.Surge
First posted on 27 November 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Surge.
Explanation :
The Trojan generally arrives bundled with other files.
When the Trojan is executed, it creates the following files:
%AppData%\Microsoft\Crypto\RSA\MachineKeys\sgkey.data %AppData%\Microsoft\Crypto\RSA\MachineKeys\[RANDOM CHARACTERS]%AppData%\Microsoft\DeviceSync\[FILE NAME].exe%AppData%\Microsoft\DeviceSync\[FILE NAME]%AppData%\Microsoft\DeviceSync\[FILE NAME].dll%Temp%\RarSFX0\Readme.txt
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DeviceSync\"Type" = "0x00000120"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DeviceSync\"Start" = "0x00000002"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DeviceSync\"ErrorControl" = "0x00000001"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DeviceSync\"ImagePath" = "[DRIVE LETTER]:\Documents and Settings\All Users\Application Data\Microsoft\DeviceSync\[Legit exe name].exe"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DeviceSync\"DisplayName" = "Microsoft Windows DeviceSync Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DeviceSync\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DeviceSync\"Description" = "Allows USB devices to be hosted on this computer. If this service is stopped, any hosted USB devices will stop functioning and no additional hosted devices can be added. If this service is disabled, any services that explicitly depend on it will fail to start."
The Trojan creates the following service:
\(LocalComputer):ServicesActive\DeviceSync
The Trojan creates the following mutex:
Global\SurgeMutexGlobal\SurgeMutex\svchost.exe
The Trojan logs keystrokes, captures clipboard content, encrypts logged content, and uploads content to the following remote locations:
trafficconverter.bizbkmail.blogdns.comdebain.servehttp.comlinuxdns.sytes.netnews.nhknews.hksswmail.gotdns.comsswwmail.gotdns.comsysnc.sytes.netsysteminfothai.gotdns.chthailandbbs.ddns.netubuntudns.sytes.netweb12.nhknews.hk
The Trojan may download additional files and updates.Last update 27 November 2015
