Follow:

 

Backdoor:Win32/Simda.F


Microsoft security software detects and removes this threat.

This threat can give a malicious hacker backdoor access and control to your PC. They can then steal your passwords and gather information about your PC.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When run, Backdoor:Win32/Simda.F makes the following changes to the registry to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\RunOnce
Sets value: "<random filename>"
With data: Documents and Settings\<username>\%appdata%\<random filename>.exe

It also modifies the affected computer system's security settings by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "ConsentPromptBehaviorAdmin"
With data: dword:0
Sets value: "ConsentPromptBehaviorUser"
With data: dword:0
Sets value: "EnableLUA"
With data: dword:0

Payload

Allows backdoor access and control

Backdoor:Win32/Simda.F allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using this backdoor. In the wild, we have observed Backdoor:Win32/Simda.F performing the following actions:

  • Creating a command shell
  • Running applications and processes
  • Downloading and executing arbitrary files

Downloads files

Backdoor:Win32/Simda.F downloads files from the following URL, then saves it to a temporary folder with a random file name:

  • update1.thebestjusecurity.in/?abbr=VCP&pid=6&action=download&setupType=vdc&setupFileName=msproc.exe&ttl=42a6c0a5d15

Modify hosts file

Backdoor:Win32/Simda.F modifies the WindowsHosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).

In the wild, we have observed Backdoor:Win32/Simda.F redirecting the following:

  • ad-emea.doubleclick.net to 64.125.87.101
  • au.search.yahoo.com to 87.248.112.8
  • ca.search.yahoo.com to 100.6.239.84
  • de.search.yahoo.com to 87.248.112.8
  • fr.search.yahoo.com to 87.248.112.8
  • google.be to 77.125.87.148
  • google.ca to 77.125.87.152
  • google.ch to 77.125.87.155
  • google.co.jp to 92.125.87.103
  • google.co.nz to 84.125.87.103
  • google.co.uk to 64.125.87.103
  • google.co.za to 64.125.87.103
  • google.com to 87.125.87.103
  • google.com.au to 87.125.87.104
  • google.com.br to 77.125.87.109
  • google.de to 77.125.87.160
  • google.dk to 92.125.87.123
  • google.fr to 92.125.87.154
  • google.ie to 92.125.87.170
  • google.it to 92.125.87.173
  • google.nl to 84.125.87.103
  • google.no to 84.125.87.103
  • google.pl to 84.125.87.103
  • google.se to 64.125.87.103
  • search.yahoo.com to 72.30.186.249
  • uk.search.yahoo.com to 87.248.112.8
  • www.bing.com to 92.123.68.97
  • www.google-analytics.com to 64.125.87.101
  • www.google.be to 77.125.87.149
  • www.google.ca to 77.125.87.153
  • www.google.ch to 77.125.87.158
  • www.google.co.jp to 84.125.87.147
  • www.google.co.nz to 84.125.87.147
  • www.google.co.uk to 64.125.87.147
  • www.google.co.za to 64.125.87.147
  • www.google.com to 87.125.87.99
  • www.google.com.au to 87.125.87.147
  • www.google.com.br to 77.125.87.150
  • www.google.de to 77.125.87.161
  • www.google.dk to 92.125.87.160
  • www.google.fr to 92.125.87.134
  • www.google.ie to 92.125.87.177
  • www.google.it to 92.125.87.147
  • www.google.nl to 84.125.87.147
  • www.google.no to 84.125.87.147
  • www.google.pl to 64.125.87.147
  • www.google.se to 64.125.87.147
  • www.search.yahoo.com to 72.30.186.249
  • www.statcounter.com to 64.125.87.101 

Analysis by Fang Fang


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:

    In subkey: HKCU\Software\Microsoft\Windows\Currentversion\RunOnce
    Sets value: "<random filename>"
    With data: Documents and Settings\<username>\%appdata%\<random filename>.exe

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    Sets value: "ConsentPromptBehaviorAdmin"
    With data: dword:0
    Sets value: "ConsentPromptBehaviorUser"
    With data: dword:0
    Sets value: "EnableLUA"
    With data: dword:0


Prevention


Alert level: Severe
First detected by definition: 1.117.2379.0
Latest detected by definition: 1.117.2379.0 and higher
First detected on: Jan 06, 2012
This entry was first published on: Jan 06, 2012
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Win-Trojan/Downloader.408576.F (AhnLab)
  • W32/Obfuscated_Q.DP (Norman)
  • Backdoor.Proxyier!oKoYth28B2k (VirusBuster)
  • Trojan horse Downloader.Generic12.ALOL (AVG)
  • TR/Crypt.XPACK.Gen (Avira)