You have been re-routed to the Backdoor:Win32/Simda.A write up because Backdoor%253aWin32%252fSimda.A has been renamed to Backdoor:Win32/Simda.A


Backdoor:Win32/Simda.A is a backdoor trojan that allows remote access and control of an affected computer.

What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see

Threat behavior

Backdoor:Win32/Simda.A is a backdoor trojan that allows remote access and control of an affected computer. 


When executed, the malware:

  • Checks if the trojan is running from the <system folder>. If it isn't running from the system folder, Backdoor:Win32/Simda.A copies itself as <system folder>\<random_number>.exe
  • Modifies the following registry entry to execute its copy at Windows start:

    In subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
    Sets value: "userinit"
    With data: "<system folder>\userinit.exe, <system folder>\<random_number>.exe"
  • Injects code to the process “svchost.exe
  • Deletes the original executable 

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.


Downloads and executes arbitrary files

Backdoor:Win32/Simda.A connects to a remote host and provides information regarding the newly infected computer.

It then receives the configuration information on where to download additional files, and other locations from which to download additional configuration files. Downloaded files are written to the %TEMP% folder, for example C:\Users\<user name>\AppData\Local\Temp. These files may include additional malware.
In the wild, we have observed the following domains being contacted for this purpose:


Modifies security settings

Backdoor:Win32/Simda.A uses various techniques in an attempt to elevate its privilege. It attempts to log on as Administrator (if the user isn't Admin already) using a list of passwords:

  • help
  • stone
  • server
  • pass
  • idontknow
  • administrator
  • admin
  • 666666
  • 111
  • 12345678
  • 1234
  • soccer
  • abc123
  • password1
  • football1
  • fuckyou
  • monkey
  • iloveyou1
  • superman1
  • slipknot1
  • jordan23
  • princess1
  • liverpool1
  • monkey1
  • baseball1
  • 123abc
  • qwerty1
  • blink182
  • myspace1
  • pop
  • user111
  • 098765
  • qweryuiopas
  • qwe
  • qwer
  • qwert
  • qwerty
  • asdfg
  • chort
  • nah
  • xak
  • xakep
  • 111111
  • 12345
  • 2013
  • 2007
  • 2207
  • 110
  • 5554
  • 775
  • 354
  • 1982
  • 123
  • password
  • 123456

Injects code

If successful at privilege escalation, Simda attempts to inject a DLL into the process space of winlogon.exe. This DLL is detected as PWS:Win32/Simda.

Exploits vulnerabilities

Backdoor:Win32/Simda.A also attempts to exploit the following vulnerabilities in order to assist in gaining elevated privileges:

Additional information

The retrieved domains are then saved to the following registry entries in an encrypted form, for example:

In subkey: HKLM\Software\Microsoft
Sets value: “m1131
With data: <encrypted URL> 

In subkey: HKLM\Software\Microsoft
Sets value: “m1132
With data: <encrypted URL> 

In subkey: HKLM\Software\Microsoft
Sets value: “m1133
With data: <encrypted URL>


Analysis by Matt McCormack


There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Alert level: Severe
First detected by definition: 1.103.1919.0
Latest detected by definition: 1.179.3261.0 and higher
First detected on: May 17, 2011
This entry was first published on: May 17, 2011
This entry was updated on: May 25, 2011

This threat is also detected as:
No known aliases