Follow:

You have been re-routed to the Backdoor:Win32/Simda write up because Backdoor%3aWin32%2fSimda has been renamed to Backdoor:Win32/Simda
 

Backdoor:Win32/Simda


Microsoft security software detects and removes this threat.

This threat can give a malicious hacker backdoor access and control to your PC. They can then steal your passwords and gather information about your PC.

The Win32/Simda family description has more information about this family of threats.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When executed, the malware:

  • Checks if the trojan is running from the <system folder>. If it isn't running from the system folder, Backdoor:Win32/Simda copies itself as <system folder>\<random_number>.exe
  • Modifies the following registry entry to execute its copy at Windows start:
    In subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
    Sets value: "userinit"
    With data: "<system folder>\userinit.exe, <system folder>\<random_number>.exe"
  • Injects code to the process “svchost.exe
  • Deletes the original executable
Payload

Downloads and runs files

Backdoor:Win32/Simda connects to a remote host and provides information regarding the newly infected PC.

It then receives the configuration information on where to download additional files, and other locations from which to download additional configuration files. Downloaded files are written to the %TEMP% folder, for example C:\Users\<user name>\AppData\Local\Temp. These files may include other malware.

In the wild, we have observed the following domains being contacted for this purpose:

  • gusssiss.com
  • orlikssss.com
  • asterixsss.com

Modifies security settings

Backdoor:Win32/Simda uses various techniques in an attempt to elevate its privilege. It attempts to log on as Administrator (if the user isn't Admin already) using a list of passwords:

  • help
  • stone
  • server
  • pass
  • idontknow
  • administrator
  • admin
  • 666666
  • 111
  • 12345678
  • 1234
  • soccer
  • abc123
  • password1
  • football1
  • fuckyou
  • monkey
  • iloveyou1
  • superman1
  • slipknot1
  • jordan23
  • princess1
  • liverpool1
  • monkey1
  • baseball1
  • 123abc
  • qwerty1
  • blink182
  • myspace1
  • pop
  • user111
  • 098765
  • qweryuiopas
  • qwe
  • qwer
  • qwert
  • qwerty
  • asdfg
  • chort
  • nah
  • xak
  • xakep
  • 111111
  • 12345
  • 2013
  • 2007
  • 2207
  • 110
  • 5554
  • 775
  • 354
  • 1982
  • 123
  • password
  • 123456

Injects code

If successful at privilege escalation, Simda attempts to inject a DLL into the process space of winlogon.exe. This DLL is detected as PWS:Win32/Simda.

Exploits vulnerabilities

Backdoor:Win32/Simda also attempts to exploit the following vulnerabilities in order to assist in gaining elevated privileges:

Additional information

The retrieved domains are then saved to the following registry entries in an encrypted form, for example:

In subkey: HKLM\Software\Microsoft
Sets value: “m1131
With data: <encrypted URL>


In subkey: HKLM\Software\Microsoft
Sets value: “m1132
With data: <encrypted URL>


In subkey: HKLM\Software\Microsoft
Sets value: “m1133
With data: <encrypted URL>

Analysis by Matt McCormack


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.103.2020.0
Latest detected by definition: 1.191.939.0 and higher
First detected on: May 18, 2011
This entry was first published on: May 18, 2011
This entry was updated on: Sep 15, 2014

This threat is also detected as:
No known aliases