Win32/Simda [Threat Name] go to Threat
Win32/Simda.B [Threat Variant Name]
Available cleaner [Download Simda Cleaner ]
| Category | trojan |
| Size | 572416 B |
| Aliases | Backdoor:Win32/Simda.gen!E (Microsoft) |
| PWS-Zbot.gen.zy.trojan (McAfee) |
Short description
Win32/Simda.B is a trojan that can interfere with the operation of certain applications. The trojan serves as a proxy server. The trojan hides its presence in the system. It uses techniques common for rootkits.
Installation
When executed, the trojan creates the following files:
- %temp%\%number%.sys (159232 B)
- %temp%\%variable1%-%number%.exe (41984 B)
- %userprofile%\%variable2%-%number%.exe (41984 B)
- %system%\c_%variable3%.nls (183300 B)
The trojan may create copies of itself using the following filenames:
- %appdata%\ScanDisc.exe
- %appdata%\%variable4%.exe
- %temp%\%variable5%.tmp
The trojan may create the following files:
- %userprofile%\Desktop\Computer.lnk
The file is a shortcut to a malicious file.
The trojan may create the following files:
- %temp%\SE%variable6%
- %appdata%\mcp.ico
- %appdata%\%variable7%.reg
- %appdata%\Mozilla\Firefox\Profiles\%variable8%\searchplugins\search.xml
- %system%\tasks\task%variable9%
- %windir%\temp\%variable10%.tmp
The trojan can modify the following files:
- C:\Windows\system32\drivers\etc\hosts
- C:\Windows\system32\drivers\etc\hosts.txt
- %appdata%\Mozilla\Firefox\Profiles\%variable11%\prefs.js
A string with variable content is used instead of %variable1-11%, %number% .
The trojan may load and inject the %temp%\SE%variable6% library into the following processes:
- explorer.exe
Installs the following system drivers (path, name):
- %temp%\%number%.sys, %number%
The following files are deleted:
- %temp%\%number%.sys
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Windows Update Server" = "%userprofile%\%variable2%-%number%.exe"
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
- "%appdata%\%variable4%.exe opt"
After the installation is complete, the trojan deletes the original executable file.
The trojan contains both 32-bit and 64-bit program components.
Information stealing
The trojan collects the following information:
- computer name
- information about the operating system and system settings
- volume serial number
- list of disk devices and their type
- operating system version
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan serves as a proxy server.
The trojan is able to update itself or execute an arbitrary file.
The trojan contains a list of 246 addresses. The trojan generates various URL addresses. The HTTP protocol is used.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
The trojan quits immediately if it is run within a debugger.
Win32/Simda.B attempts to get administrative privileges in the system. It exploits the CVE-2010-3338 vulnerability.
The trojan may redirect the user to the attacker's web sites.
The trojan may write the program code of the malware into the following files:
- %system%\drivers\*.*
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "ConsentPromptBehaviorAdmin" = 0
- "ConsentPromptBehaviorUser" = 0
- "EnableLUA" = 0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows]
- "update" = "shortcut"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
- "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
- "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" = 1
- [HKEY_USERS\%variable%\Software\Microsoft\Internet Explorer\SearchScopes]
- "DefaultScope" = "%data%"
- [HKEY_USERS\%variable%\Software\Microsoft\Internet Explorer\SearchScopes\%data%]
- "URL" = "http://findgala.com/?&uid=%number%&q={searchTerms}"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
- "(Default)" = "Build/13.0"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
- "(Default)" = "Build/13.0"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]
- "NameServer" = "8.8.8.8"
The trojan may display the following fake dialog boxes:
