Installation
Some variants check to see if Simda is already running from a specific folder. If it isn't running from the expected location, the malware copies itself as one of the following:
Some Simda variants might make the following changes to the registry as part of the installation process:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "userinit"
With data: "<malware path and file name>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "userinit"
With data: "<malware path and file name>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "load"
With data: "<malware path and file name>"
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "run"
With data: "<malware path and file name>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "System"
With data: "<malware path and file name>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, "<malware path and file name>""
If you are logged in as an administrator, it might add a scheduled task to run itself with administrator privileges each time you start your PC.
After the malware has successfully installed itself, it deletes its own original malware file.
Simda checks to see if it's running in a virtual machine, or sandbox, and if it is, it deletes itself.
When it runs, Simda might inject itself into the following processes if it finds them running on your PC, in an effort to hinder detection and removal:
- avant.exe
- clmain.exe
- core.exe
- core.exe
- explorer.exe
- firefox.exe
- iexplore.exe
- intpro.exe
- isclient.exe
- java.exe
- javaw.exe
- javaws.exe
- loadmain.exe
- maxthon.exe
- mnp.exe
- opera.exe
- safari.exe
- safari.exe
- svchost.exe
As part of its installation process, Simda might check to see if any of the following processes are running, and if found, won't complete its installation process:
- Aircrack-ng Gui.exe
- apis32.exe
- avp.exe
- CamRecorder.exe
- CamtasiaStudio.exe
- cv.exe
- DrvLoader.exe
- dumpcap.exe
- ERDNT.exe
- ERUNT.exe
- EtherD.exe
- HookExplorer.exe
- idag.exe
- irise.exe
- IrisSvc.exe
- observer.exe
- ollydbg.exe
- PEBrowseDbg.exe
- proc_analyzer.exe
- Regshot.exe
- SandboxieDcomLaunch.exe
- SandboxieRpcSs.exe
- SbieCtrl.exe
- SbieSvc.exe
- sckTool.exe
- sniff_hit.exe
- Sniffer.exe
- SUPERAntiSpyware.exe
- SymRecv.exe
- sysAnalyzer.exe
- Syser.exe
- tcpdump.exe
- VBoxService.exe
- VBoxTray.exe
- windbg.exe
- WinDump.exe
- wireshark.exe
- wspass.exe
- ZxSniffer.exe
Similarly, some Simda variants checks for the following registry keys, and if found, won't complete its installation process:
- Appevents\Schemes\Apps\Bopup Observer
- Software\Apis32
- Software\B Labs\Bopup Observer
- Software\Classes\*\Shell\Sandbox
- Software\Classes\Folder\Shell\Sandbox
- Software\Classes\Pebrowsedotnetprofiler.Dotnetprofiler
- Software\Classes\Superantispywarecontextmenuext.Sascon.1
- Software\Commview
- Software\Cygwin
- Software\Eeye Digital Security
- Software\Microsoft\Windows\Currentversion\App Paths\Wireshark.Exe
- Software\Microsoft\Windows\Currentversion\Explorer\Menuorder\Start Menu2\Programs\Apis32
- Software\Microsoft\Windows\Currentversion\Explorer\Menuorder\Start Menu2\Programs\Debugging Tools For Windows (X86)
- Software\Microsoft\Windows\Currentversion\Uninstall\Apis32
- Software\Microsoft\Windows\Currentversion\Uninstall\Erunt_Is1
- Software\Microsoft\Windows\Currentversion\Uninstall\Oracle Vm Virtualbox Guest Additions
- Software\Microsoft\Windows\Currentversion\Uninstall\Sandboxie
- Software\Microsoft\Windows\Currentversion\Uninstall\Win Sniffer_Is1
- Software\Microsoft\Windows\Currentversion\Uninstall\Wireshark
- Software\Superantispyware.Com
- Software\Syser Soft
- Software\Win Sniffer
- Software\Zxsniffer
- System\Currentcontrolset\Services\Iris5
- System\Currentcontrolset\Services\Sbiedrv
- System\Currentcontrolset\Services\Sdbgmsg
- System\Currentcontrolset\Services\Vboxguest
It also hooks the following Windows system APIs to help it capture sensitive data, for example, online banking and shopping, email credentials and network information:
- ADVAPI32.DLL:
- CRYPT32.DLL:
- CertVerifyCertificateChainPolicy
- DNSAPI.DLL:
- DnsQuery_A
- DnsQuery_UTF8
- DnsQuery_W
- Query_Main
- NTDLL.DLL:
- WS2_32.DLL:
- send
- WSASend
- WSARecv
- recv
- getaddrinfo
- gethostbyname
- inet_addr
- KERNEL32.DLL:
- CreateFileW
- GetFileAttributesW
- USER32.DLL:
- GetClipboardData
- GetFileAttributesExW
- GetFileAttributesW
- GetMessageA
- GetMessageW
- GetWindowTextA
- OpenDesktopA
- OpenDesktopW
- SendInput
- SetClipboardData
- SwitchDesktop
- TranslateMessage
- WININET.DLL:
- HttpSendRequestA
- HttpSendRequestW
- HttpSendRequestExA
- HttpSendRequestExW
- InternetQueryDataAvailable
- InternetReadFile
- InternetReadFileExA
- InternetReadFileExW
- InternetCloseHandle
- InternetWriteFile
- NSPR4.DLL:
- PR_Write
- PR_Read
- PR_Close
- PR_OpenTCPSocket
- SKS2XYZ.DLL:
- FILIALRCON.DLL:
- MESPRO.DLL:
- AddPSEPrivateKeyEx
- AddSigner
Payload
Lets a hacker access and control your PC
Some variants of Win32/Simda target several Internet banking systems. It contacts the remote command and control (C&C) system and waits for commands from a hacker. In the wild, we've observed Simda targeting Internet banking systems that contain these strings:
- AGAVA
- ALPHA
- BS-CLIENT
- BSS/BSSS
- CC
- COLV
- CRAIF
- FAKTURA
- IBANK
- INIST
- INTER-PRO
- ISB
- KBP
- RAIFF
- RFK
- RSTYLE
- SBER
- VEFK
- VTB24
It opens a port to let a hacker remotely access your PC by creating the following registry entry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Sets value: "<port number>:TCP"
With data: "<port number>:TCP"
Where <port number> varies.
Using this backdoor, a hacker can do a number of actions on your PC. For example, a hacker might be able to do any of the following actions:
- Stop your PC from running by deleting registry keys
- Force reboot
- Download and run files from a given URL
- Upload files
- Spread to other PCs using differerent ways
- Log keystrokes or steal sensitive data
- Change your PC's settings
- Run or stop applications
- Delete files
Steals sensitive information
Some Simda variants collect your personal information, including but not limited to the following:
- User names and passwords that might be stored in your Internet browser folders
- Logged keystrokes
- Visited websites/URLs
- PC certificates
- Clipboard data
- Screenshots
- Information about your PC, like operating system details
- Private key files
Some variants also go through your Internet Explorer and Opera history files looking for secure sites you have visited, and might:
- Steal saved passwords from Internet Explorer
- Steal WinSCP (Windows Secure Copy) stored passwords
- Decrypt stored data from Opera
- Get dial-up passwords
- Create the following files in which to store stolen information:
- sniff.log
- keylog.txt
- pass.log
- Steal login information pertaining to FTP, NNTP, POP3 and POP2
- Log your keystrokes
- Store screenshots to <number>.bmp
- Store passwords as they are saved
Some variants of Simda periodically check for the existence of the following files and sends the contents back to the C&C server:
- links.log
- pws.tx
- pass.log
Downloads and runs files
Simda's backdoor components might connect to a remote server to provide information about newly-infected PCs.
Once connected to the remote server, Simda receives the configuration information on where to download additional files, and other locations from which to download additional configuration files. Downloaded files are written to the %TEMP% folder. These files might include additional malware.
In the wild, we have observed the following servers being contacted for this purpose:
- asterixsss.com
- gusssiss.com
- orlikssss.com
Tries to log in as administrator
Some Simda variants use various techniques to try to elevate its privileges. It tries to log on as an administrator (if you're not already logged in an an administrator) using the following list of passwords:
- 098765
- 110
- 111
- 111111
- 123
- 1234
- 12345
- 123456
- 12345678
- 123abc
- 1982
- 2007
- 2013
- 2207
- 354
- 5554
- 666666
- 775
- abc123
- admin
- administrator
- asdfg
- baseball1
- blink182
- chort
- football1
- fuckyou
- help
- idontknow
- iloveyou1
- jordan23
- liverpool1
- monkey
- monkey1
- myspace1
- nah
- pass
- password
- password1
- pop
- princess1
- qwe
- qwer
- qwert
- qwerty
- qwerty1
- qweryuiopas
- server
- slipknot1
- soccer
- stone
- superman1
- user111
- xak
- xakep
If it successfully logs in as an administrator, it will be able to do more actions to further compromise your PC, as it won't be restricted by limited privileges.
Stops processes, and prevents you from visiting certain websites
Some variants of Simda check for the following window class names, and stop any processes they belong to:
- +f
- AVP.MainWindow
- hijackthis
- Kaspersky Virus Removal Tool 2010
- Malwarebytes' Anti-Malware
- random's system information tool - random/random
- SAM: Autorun Manager
It might also try to stop you from visiting websites with addresses containing any of the following security-related terms:
- anti-malware
- antivir
- avast.com
- avira
- comodo.com
- drweb
- eset.com
- kaspersky
- kltest.org.ru
- mavast.com
- trendsecure
- virusinfo
- virustotal
- z-oleg.com
Injects code
If it successfully elevates its privileges, Simda tries to inject a DLL into the process space of winlogon.exe. This DLL is detected as PWS:Win32/Simda. It does this to try and hinder detection and removal.
Exploits vulnerabilities
Win32/Simda tries to exploit the following vulnerabilities to gain elevated privileges:
Additional information
Win32/Simda checks for Internet connectivity by contacting the following websites:
The retrieved domains are then saved to the following registry entries in an encrypted form, for example:
In subkey: HKLM\Software\Microsoft
Sets value: “m1131”
With data: <encrypted URL>
In subkey: HKLM\Software\Microsoft
Sets value: “m1132”
With data: <encrypted URL>
In subkey: HKLM\Software\Microsoft
Sets value: “m1133”
With data: <encrypted URL>
Win32/Simda might create a mutex to avoid multiple instances of itself running on your PC at any one time, for example:
Global\MicrosoftSysenterGate<N>
where <N> is a digit.
Some variants of Simda might infect a Windows driver file to hide its components and redirect web traffic. The infected driver is detected as Virus:WinNT/Simda.A. Other Simda variants might also, via various DNS hooks (depending on the browser), redirect traffic to google.com.
Analysis by Rex Plantado
