Follow:

 

PWS:Win32/Simda


Microsoft security software detects and removes this threat.
 
This family of password-stealing trojans can give a malicious hacker backdoor access and control of your PC. Its main purpose is to steal your passwords and system information.


What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

PWS:Win32/Simda is a family of password-stealing trojans that may also allow backdoor access and control to an affected computer. Its main purpose is to steal passwords and system information from a user's machine.

Installation

PWS:Win32/Simda is a DLL which is injected into the winlogon.exe or explorer.exe processes by Backdoor:Win32/Simda.A.

Payload

Allows backdoor access and control

PWS:Win32/Simda creates the following registry entry in order to allow remote access to a local port:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Sets value: "<port number>:TCP"
With data: "<port number>:tcp"

Where <port number> varies.

PWS:Win32/Simda contacts a remote host at mesosalpinx.com, listens on port <port number> and waits for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:

  • Disable the infected system by deleting critical registry keys
  • Force reboot
  • Download and execute arbitrary files
  • Upload files
  • Spread to other computers using various methods of propagation
  • Log keystrokes or steal sensitive data
  • Modify system settings
  • Run or terminate applications
  • Delete files

Steals sensitive information

PWS:Win32/Simda is used to obtain sensitive information from the affected computer, and as such, may:

  • Monitor and copy clipboard data whenever text is copied to the clipboard
  • Log keystrokes via GetMessage API hook
  • Store URLs and window titles for all URLs visited by every process
  • Parse Internet browser traffic for user names and passwords via API hooks
  • Steal certificates

PWS:Win32/Simda periodically checks for the existence of the following files and sends the contents back to the home domain:

  • links.log
  • pws.txt

The malware parses Internet Explorer and Opera history files looking for secure sites the user has visited.

PWS:Win32/Simda has also been observed:

  • Stealing autocomplete saved passwords from Internet Explorer
  • Stealing WinSCP (Windows Secure Copy) stored session passwords
  • Decrypting stored data from Opera
  • Obtaining dial-up passwords
  • Creating the following files:
    • sniff.log
    • keylog.txt
    • pass.log
  • Holding intercepted plain text traffic login information pertaining to FTP, NNTP, POP3 and POP2
  • Key-logging data
  • Storing screenshots to <number>.bmp
  • Storing passwords as they are saved
  • Storing window text for certain windows

Once loaded, PWS:Win32/Simda attempts to inject itself into the following processes, if they are running on the computer:

  • svchost.exe
  • iexplore.exe
  • java.exe
  • javaw.exe
  • javaws.exe
  • opera.exe
  • firefox.exe
  • maxthon.exe
  • avant.exe
  • mnp.exe
  • safari.exe
  • explorer.exe
  • isclient.exe
  • intpro.exe
  • loadmain.exe
  • core.exe
  • clmain.exe
  • core.exe
  • safari.exe

Once loaded inside a process, one or more of the following APIs may be hooked:

  • AddPSEPrivateKeyEx
  • CreateFileW
  • CryptEncrypt
  • DnsQuery_A
  • DnsQuery_UTF8
  • DnsQuery_W
  • GetClipboardData
  • GetFileAttributesExW
  • GetFileAttributesW
  • GetMessageA
  • GetMessageW
  • GetWindowTextA
  • HttpSendRequestA
  • HttpSendRequestExA
  • HttpSendRequestExW
  • HttpSendRequestW
  • InternetCloseHandle
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetReadFileExA
  • InternetReadFileExW
  • InternetWriteFile
  • InternetWriteFile_0
  • PR_Close
  • PR_OpenTCPSocket
  • PR_Read
  • PR_Write
  • Query_Main
  • RCN_R50Buffer
  • TranslateMessage
  • WSARecv
  • WSASend
  • getaddrinfo
  • gethostbyname
  • inet_addr
  • recv
  • send
  • vb_pfx_import

These APIs are hooked in order to intercept Internet traffic and strip sensitive information from it.

Terminates processes

PWS:Win32/Simda checks for the following window class names, and terminates any processes they belong to:

  • random's system information tool - random/random
  • +f
  • AVP.MainWindow
  • Kaspersky Virus Removal Tool 2010
  • Malwarebytes' Anti-Malware
  • SAM: Autorun Manager
  • hijackthis

The malware also blocks traffic to the following websites:

  • avast.com
  • kaspersky
  • drweb
  • eset.com
  • antivir
  • avira
  • virustotal
  • virusinfo
  • z-oleg.com
  • trendsecure
  • anti-malware

PWS:Win32/Simda may also, via various DNS hooks (depending on browser), redirect traffic to google.com.

Additional information

The malware creates the following mutex:

  • Global\{722E3A61-883B-4144-BA81-1F965879E5C9}

Analysis by Matt McCormack


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    links.log
    pws.txt
    sniff.log
    keylog.txt
    pass.log
  • The presence of the following registry modifications:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
    Sets value: "<port number>:TCP"
    With data: "<port number>:tcp"

Prevention


Alert level: Severe
First detected by definition: 1.105.365.0
Latest detected by definition: 1.179.469.0 and higher
First detected on: May 24, 2011
This entry was first published on: May 24, 2011
This entry was updated on: May 14, 2014

This threat is also detected as:
No known aliases