Win32/Simda [Threat Name] go to Threat

Win32/Simda.B [Threat Variant Name]

Available cleaner [Download Simda Cleaner ]

Category trojan
Size 572416 B
Detection created Apr 19, 2012
Signature database version 8164
Aliases Backdoor:Win32/Simda.gen!E (Microsoft)
  PWS-Zbot.gen.zy.trojan (McAfee)
Short description

Win32/Simda.B is a trojan that can interfere with the operation of certain applications. The trojan serves as a proxy server. The trojan hides its presence in the system. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %temp%\­%number%.sys (159232 B)
  • %temp%\­%variable1%-%number%.exe (41984 B)
  • %userprofile%\­%variable2%-%number%.exe (41984 B)
  • %system%\­c_%variable3%.nls (183300 B)

The trojan may create copies of itself using the following filenames:

  • %appdata%\­ScanDisc.exe
  • %appdata%\­%variable4%.exe
  • %temp%\­%variable5%.tmp

The trojan may create the following files:

  • %userprofile%\­Desktop\­Computer.lnk

The file is a shortcut to a malicious file.


The trojan may create the following files:

  • %temp%\­SE%variable6%
  • %appdata%\­mcp.ico
  • %appdata%\­%variable7%.reg
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%variable8%\­searchplugins\­search.xml
  • %system%\­tasks\­task%variable9%
  • %windir%\­temp\­%variable10%.tmp

The trojan can modify the following files:

  • C:\­Windows\­system32\­drivers\­etc\­hosts
  • C:\­Windows\­system32\­drivers\­etc\­hosts.txt
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%variable11%\­prefs.js

A string with variable content is used instead of %variable1-11%, %number% .


The trojan may load and inject the %temp%\SE%variable6% library into the following processes:

  • explorer.exe

Installs the following system drivers (path, name):

  • %temp%\­%number%.sys, %number%

The following files are deleted:

  • %temp%\­%number%.sys

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Update Server" = "%userprofile%\­%variable2%-%number%.exe"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%appdata%\­%variable4%.exe opt"

After the installation is complete, the trojan deletes the original executable file.


The trojan contains both 32-bit and 64-bit program components.

Information stealing

The trojan collects the following information:

  • computer name
  • information about the operating system and system settings
  • volume serial number
  • list of disk devices and their type
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan serves as a proxy server.


The trojan is able to update itself or execute an arbitrary file.


The trojan contains a list of 246 addresses. The trojan generates various URL addresses. The HTTP protocol is used.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if it is run within a debugger.


Win32/Simda.B attempts to get administrative privileges in the system. It exploits the CVE-2010-3338 vulnerability.


The trojan may redirect the user to the attacker's web sites.


The trojan may write the program code of the malware into the following files:

  • %system%\­drivers\­*.*

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "ConsentPromptBehaviorAdmin" = 0
    • "ConsentPromptBehaviorUser" = 0
    • "EnableLUA" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows]
    • "update" = "shortcut"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­HideDesktopIcons\­ClassicStartMenu]
    • "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­HideDesktopIcons\­NewStartPanel]
    • "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" = 1
  • [HKEY_USERS\­%variable%\­Software\­Microsoft\­Internet Explorer\­SearchScopes]
    • "DefaultScope" = "%data%"
  • [HKEY_USERS\­%variable%\­Software\­Microsoft\­Internet Explorer\­SearchScopes\­%data%]
    • "URL" = "http://findgala.com/?&uid=%number%&q={searchTerms}"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­User Agent\­Post Platform]
    • "(Default)" = "Build/13.0"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­5.0\­User Agent\­Post Platform]
    • "(Default)" = "Build/13.0"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Tcpip\­Parameters\­Interfaces]
    • "NameServer" = "8.8.8.8"

The trojan may display the following fake dialog boxes:

Please enable Javascript to ensure correct displaying of this content and refresh this page.