Follow:

 

Trojan:Win32/Simda


Trojan:Win32/Simda is a multi-component trojan that downloads and executes arbitrary files. These files may include additional malware. 


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Trojan:Win32/Simda is a multi-component trojan that downloads and executes arbitrary files. These files may include additional malware. 
Installation
When executed, the malware:
  • Checks if the trojan is running from the <system folder>. If it isn't running from the system folder, Trojan:Win32/Simda copies itself as <system folder>\<random_number>.exe
  • Modifies the following registry entry to execute its copy at Windows start
    Adds value: "userinit"
    With data: "<system folder>\userinit.exe,<system folder>\<random_number>.exe,"
    To subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
  • Injects code to the process “svchost.exe”
  • Deletes the original executable
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Downloads and executes arbitrary files
Trojan:Win32/Simda connects to a remote host and provides information regarding the newly infected computer.
 
It then receives the configuration information on where to download additional files, and other locations from which to download additional configuration files. Downloaded files are written to the %TEMP% folder, for example C:\Users\<user name>\AppData\Local\Temp. These files may include additional malware.
 
In the wild, we've observed the following domains being contacted for this purpose:
 
gusssiss.com
orlikssss.com
asterixsss.com

Modifies security settings

Trojan:Win32/Simda uses various techniques in an attempt to elevate its privilege. It attempts to log on as Administrator (if the user isn't Admin already) using a list of passwords:

  • help
  • stone
  • server
  • pass
  • idontknow
  • administrator
  • admin
  • 666666
  • 111
  • 12345678
  • 1234
  • soccer
  • abc123
  • password1
  • football1
  • fuckyou
  • monkey
  • iloveyou1
  • superman1
  • slipknot1
  • jordan23
  • princess1
  • liverpool1
  • monkey1
  • baseball1
  • 123abc
  • qwerty1
  • blink182
  • myspace1
  • pop
  • user111
  • 098765
  • qweryuiopas
  • qwe
  • qwer
  • qwert
  • qwerty
  • asdfg
  • chort
  • nah
  • xak
  • xakep
  • 111111
  • 12345
  • 2013
  • 2007
  • 2207
  • 110
  • 5554
  • 775
  • 354
  • 1982
  • 123
  • password
  • 123456

Injects code

If successful at privilege escalation, Simda attempts to inject a DLL into the process space of winlogon.exe. This DLL is detected as PWS:Win32/Simda.

Exploits vulnerabilities

Trojan:Win32/Simda also attempts to exploit the following vulnerabilities in order to assist in gaining elevated privileges:

Additional information
The retrieved domains are then saved to the following registry entries in an encrypted form, for example:
 
Adds value: “m1131”
With data: <encrypted URL>
To subkey: HKLM\Software\Microsoft
 
Adds value: “m1132”
With data: <encrypted URL>
To subkey: HKLM\Software\Microsoft
 
Adds value: “m1133” 
With data: <encrypted URL>
To subkey: HKLM\Software\Microsoft
 
Analysis by Rodel Finones

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications:
  • Adds value: "userinit"
    With data: "<system folder>\userinit.exe,<system folder>\<random_number>.exe,"
    To subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
    Adds value: “m1131”
    With data: <encrypted URL>
    To subkey: HKLM\Software\Microsoft
    Adds value: “m1132”
    With data: <encrypted URL>
    To subkey: HKLM\Software\Microsoft
     
    Adds value: “m1133” 
    With data: <encrypted URL>
    To subkey: HKLM\Software\Microsoft

Prevention


Alert level: Severe
First detected by definition: 1.77.213.0
Latest detected by definition: 1.183.2523.0 and higher
First detected on: Mar 02, 2010
This entry was first published on: Apr 12, 2010
This entry was updated on: May 25, 2011

This threat is also detected as:
  • Trojan-Downloader.Win32.Agent.disn (Kaspersky)
  • Trojan.Pws.Agent.AD (BitDefender)
  • Trojan.DownLoad1.42328 (Dr.Web)