Win32/Simda [Threat Name] go to Threat

Win32/Simda.X [Threat Variant Name]

Category trojan
Size 130560 B
Detection created Mar 15, 2013
Detection database version 8119
Aliases Trojan.Win32.Cidox.aeys (Kaspersky)
  TrojanDropper:Win32/Rovnix.H (Microsoft)
Short description

Win32/Simda.X is a trojan that can interfere with the operation of certain applications.


The trojan replaces the original VBR (Volume Boot Record) of the hard disk drive with its own data.

The trojan writes its own data to the end of the physical drive.

The trojan may create copies of itself using the following filenames:

  • %userprofile%\­%variable1%-%variable2%.exe

A string with variable content is used instead of %variable1-2% .

This copy of the trojan is then executed.

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Update Server" = "%userprofile%\­%variable1%-%variable2%.exe"

This causes the trojan to be executed on every system start.

After the installation is complete, the trojan deletes the original executable file.

The trojan contains both 32-bit and 64-bit program components.

Information stealing

The following information is collected:

  • operating system version
  • language settings

The trojan attempts to send gathered information to a remote machine.

The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The trojan can create and run a new thread with its own program code within the following processes:

  • chrome.exe
  • cmd.exe
  • explorer.exe
  • far.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe
  • totalcmd.exe
  • winlogon.exe
  • wuauclt.exe

The trojan hooks the following Windows APIs:

  • ZwResumeThread (ntdll.dll)
  • WSPCloseSocket (mswsock.dll)
  • WSPSend (mswsock.dll)
  • WSPRecv (mswsock.dll)

The trojan can modify network traffic.

The trojan may redirect the user to the attacker's web sites.

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Classes\­CLSID\­{%variable1%-%variable2%-%variable3%-%variable4%-%variable5%}]

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Classes\­CLSID\­{%variable1%-%variable2%-%variable3%-%variable4%-%variable5%}]
  • [HKEY_LOCAL_MACHINE\­\­Software\­Classes\­Wow6432Node\­CLSID\­{%variable1%-%variable2%-%variable3%-%variable4%-%variable5%}]

A string with variable content is used instead of %variable1-5% .

The trojan may create the following files:

  • %temp%\­%variable1%-%variable2%.tmp
  • %temp%\­%variable3%.tmp

A string with variable content is used instead of %variable1-3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.