PWS:Win32/Simda is a family of password-stealing trojans that may also allow backdoor access and control to an affected computer. Its main purpose is to steal passwords and system information from a user's machine.
Installation
PWS:Win32/Simda is a DLL which is injected into the winlogon.exe or explorer.exe processes by Backdoor:Win32/Simda.A.
Payload
Allows backdoor access and control
PWS:Win32/Simda creates the following registry entry in order to allow remote access to a local port:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Sets value: "<port number>:TCP"
With data: "<port number>:tcp"
Where <port number> varies.
PWS:Win32/Simda contacts a remote host at mesosalpinx.com, listens on port <port number> and waits for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
- Disable the infected system by deleting critical registry keys
- Force reboot
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
Steals sensitive information
PWS:Win32/Simda is used to obtain sensitive information from the affected computer, and as such, may:
- Monitor and copy clipboard data whenever text is copied to the clipboard
- Log keystrokes via GetMessage API hook
- Store URLs and window titles for all URLs visited by every process
- Parse Internet browser traffic for user names and passwords via API hooks
- Steal certificates
PWS:Win32/Simda periodically checks for the existence of the following files and sends the contents back to the home domain:
The malware parses Internet Explorer and Opera history files looking for secure sites the user has visited.
PWS:Win32/Simda has also been observed:
- Stealing autocomplete saved passwords from Internet Explorer
- Stealing WinSCP (Windows Secure Copy) stored session passwords
- Decrypting stored data from Opera
- Obtaining dial-up passwords
- Creating the following files:
- sniff.log
- keylog.txt
- pass.log
- Holding intercepted plain text traffic login information pertaining to FTP, NNTP, POP3 and POP2
- Key-logging data
- Storing screenshots to <number>.bmp
- Storing passwords as they are saved
- Storing window text for certain windows
Once loaded, PWS:Win32/Simda attempts to inject itself into the following processes, if they are running on the computer:
-
svchost.exe
-
iexplore.exe
-
java.exe
-
javaw.exe
-
javaws.exe
-
opera.exe
-
firefox.exe
-
maxthon.exe
-
avant.exe
-
mnp.exe
-
safari.exe
-
explorer.exe
-
isclient.exe
-
intpro.exe
-
loadmain.exe
-
core.exe
-
clmain.exe
-
core.exe
-
safari.exe
Once loaded inside a process, one or more of the following APIs may be hooked:
-
AddPSEPrivateKeyEx
-
CreateFileW
-
CryptEncrypt
-
DnsQuery_A
-
DnsQuery_UTF8
-
DnsQuery_W
-
GetClipboardData
-
GetFileAttributesExW
-
GetFileAttributesW
-
GetMessageA
-
GetMessageW
-
GetWindowTextA
-
HttpSendRequestA
-
HttpSendRequestExA
-
HttpSendRequestExW
-
HttpSendRequestW
-
InternetCloseHandle
-
InternetQueryDataAvailable
-
InternetReadFile
-
InternetReadFileExA
-
InternetReadFileExW
-
InternetWriteFile
-
InternetWriteFile_0
-
PR_Close
-
PR_OpenTCPSocket
-
PR_Read
-
PR_Write
-
Query_Main
-
RCN_R50Buffer
-
TranslateMessage
-
WSARecv
-
WSASend
-
getaddrinfo
-
gethostbyname
-
inet_addr
-
recv
-
send
-
vb_pfx_import
These APIs are hooked in order to intercept Internet traffic and strip sensitive information from it.
Terminates processes
PWS:Win32/Simda checks for the following window class names, and terminates any processes they belong to:
-
random's system information tool - random/random
-
+f
-
AVP.MainWindow
-
Kaspersky Virus Removal Tool 2010
-
Malwarebytes' Anti-Malware
-
SAM: Autorun Manager
-
hijackthis
The malware also blocks traffic to the following websites:
-
avast.com
-
kaspersky
-
drweb
-
eset.com
-
antivir
-
avira
-
virustotal
-
virusinfo
-
z-oleg.com
-
trendsecure
-
anti-malware
PWS:Win32/Simda may also, via various DNS hooks (depending on browser), redirect traffic to google.com.
Additional information
The malware creates the following mutex:
-
Global\{722E3A61-883B-4144-BA81-1F965879E5C9}
Analysis by Matt McCormack