Follow:

 

Trojan:WinNT/Simda.gen!A


Trojan:WinNT/Simda.gen!A is a kernel-mode driver component of Backdoor:Win32/Simda.A - a multi-component malware family. This component is responsible for hiding the backdoor's other components in the affected computer, as well as for manipulating the user's Internet traffic.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:WinNT/Simda.gen!A is a kernel-mode driver component of Backdoor:Win32/Simda.A - a multi-component malware family. This component is responsible for hiding the backdoor's other components in the affected computer, as well as for manipulating the user's Internet traffic.

Installation

Trojan:WinNT/Simda.gen!A driver is dropped and loaded by the Backdoor:Win32/Simda.A installer.

Payload

Loads malware components

Trojan:WinNT/Simda.gen!A loads other malware components into system processes, such as "csrss.exe".

It also injects code into the system shell and web browser processes, such as:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe

Redirects Internet traffic and DNS requests to malicious hosts

Trojan:WinNT/Simda.gen!A has been observed to redirect user traffic to the following IP addresses:

  • 100.6.239.84
  • 178.250.45.15
  • 205.234.236.*
  • 209.212.147.141
  • 64.125.87.*
  • 65.98.83.115
  • 66.197.152.*
  • 72.30.186.249
  • 74.55.76.230
  • 75.102.22.*
  • 77.125.87.*
  • 84.125.87.*
  • 87.125.87.*
  • 87.248.112.8
  • 92.123.68.97
  • 92.125.87.*
  • 95.211.97.181
  • 98.142.243.64

where * is a number from 0 to 255.

Analysis by Sergey Chernyshev


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.113.1341.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 10, 2011
This entry was first published on: Oct 10, 2011
This entry was updated on: Mar 13, 2012

This threat is also detected as:
  • Backdoor.Win32.Proxyier.ain (Kaspersky)
  • BDS/Proxyier.ain (Avira)
  • Backdoor.Win32.Proxyier (Ikarus)
  • Generic Proxy!bf (McAfee)