Follow:

 

Win32/Simda


Microsoft security software detects and removes this threat.

This family of password-stealing trojans can give a malicious hacker backdoor access and control to your PC. They can then steal your passwords and gather information about your PC.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Some variants check to see if Simda is already running from a specific folder. If it isn't running from the expected location, the malware copies itself as one of the following:

  • %APPDATA%\<random>.exe
  • %windir%\AppPatch\<random>.exe
  • %windir%\System32\<random>.exe

Some Simda variants might make the following changes to the registry as part of the installation process:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "userinit"
With data: "<malware path and file name>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "userinit"
With data: "<malware path and file name>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "load"
With data: "<malware path and file name>"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "run"
With data: "<malware path and file name>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "System"
With data: "<malware path and file name>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, "<malware path and file name>""

If you are logged in as an administrator, it might add a scheduled task to run itself with administrator privileges each time you start your PC.

After the malware has successfully installed itself, it deletes its own original malware file.

Simda checks to see if it's running in a virtual machine, or sandbox, and if it is, it deletes itself.

When it runs, Simda might inject itself into the following processes if it finds them running on your PC, in an effort to hinder detection and removal:

  • avant.exe
  • clmain.exe
  • core.exe
  • core.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • intpro.exe
  • isclient.exe
  • java.exe
  • javaw.exe
  • javaws.exe
  • loadmain.exe
  • maxthon.exe
  • mnp.exe
  • opera.exe
  • safari.exe
  • safari.exe
  • svchost.exe

As part of its installation process, Simda might check to see if any of the following processes are running, and if found, won't complete its installation process:

  • Aircrack-ng Gui.exe
  • apis32.exe
  • avp.exe
  • CamRecorder.exe
  • CamtasiaStudio.exe
  • cv.exe
  • DrvLoader.exe
  • dumpcap.exe
  • ERDNT.exe
  • ERUNT.exe
  • EtherD.exe
  • HookExplorer.exe
  • idag.exe
  • irise.exe
  • IrisSvc.exe
  • observer.exe
  • ollydbg.exe
  • PEBrowseDbg.exe
  • proc_analyzer.exe
  • Regshot.exe
  • SandboxieDcomLaunch.exe
  • SandboxieRpcSs.exe
  • SbieCtrl.exe
  • SbieSvc.exe
  • sckTool.exe
  • sniff_hit.exe
  • Sniffer.exe
  • SUPERAntiSpyware.exe
  • SymRecv.exe
  • sysAnalyzer.exe
  • Syser.exe
  • tcpdump.exe
  • VBoxService.exe
  • VBoxTray.exe
  • windbg.exe
  • WinDump.exe
  • wireshark.exe
  • wspass.exe
  • ZxSniffer.exe

Similarly, some Simda variants checks for the following registry keys, and if found, won't complete its installation process:

  • Appevents\Schemes\Apps\Bopup Observer
  • Software\Apis32
  • Software\B Labs\Bopup Observer
  • Software\Classes\*\Shell\Sandbox
  • Software\Classes\Folder\Shell\Sandbox
  • Software\Classes\Pebrowsedotnetprofiler.Dotnetprofiler
  • Software\Classes\Superantispywarecontextmenuext.Sascon.1
  • Software\Commview
  • Software\Cygwin
  • Software\Eeye Digital Security
  • Software\Microsoft\Windows\Currentversion\App Paths\Wireshark.Exe
  • Software\Microsoft\Windows\Currentversion\Explorer\Menuorder\Start Menu2\Programs\Apis32
  • Software\Microsoft\Windows\Currentversion\Explorer\Menuorder\Start Menu2\Programs\Debugging Tools For Windows (X86)
  • Software\Microsoft\Windows\Currentversion\Uninstall\Apis32
  • Software\Microsoft\Windows\Currentversion\Uninstall\Erunt_Is1
  • Software\Microsoft\Windows\Currentversion\Uninstall\Oracle Vm Virtualbox Guest Additions
  • Software\Microsoft\Windows\Currentversion\Uninstall\Sandboxie
  • Software\Microsoft\Windows\Currentversion\Uninstall\Win Sniffer_Is1
  • Software\Microsoft\Windows\Currentversion\Uninstall\Wireshark
  • Software\Superantispyware.Com
  • Software\Syser Soft
  • Software\Win Sniffer
  • Software\Zxsniffer
  • System\Currentcontrolset\Services\Iris5
  • System\Currentcontrolset\Services\Sbiedrv
  • System\Currentcontrolset\Services\Sdbgmsg
  • System\Currentcontrolset\Services\Vboxguest

It also hooks the following Windows system APIs to help it capture sensitive data, for example, online banking and shopping, email credentials and network information:

  • ADVAPI32.DLL:
    • CryptEncrypt
  • CRYPT32.DLL:
    • CertVerifyCertificateChainPolicy
  • DNSAPI.DLL:
    • DnsQuery_A
    • DnsQuery_UTF8
    • DnsQuery_W
    • Query_Main
  • NTDLL.DLL:
    • NtQuerySystemInformation
  • WS2_32.DLL:
    • send
    • WSASend
    • WSARecv
    • recv
    • getaddrinfo
    • gethostbyname
    • inet_addr
  • KERNEL32.DLL:
    • CreateFileW
    • GetFileAttributesW
  • USER32.DLL:
    • GetClipboardData
    • GetFileAttributesExW
    • GetFileAttributesW
    • GetMessageA
    • GetMessageW
    • GetWindowTextA
    • OpenDesktopA
    • OpenDesktopW
    • SendInput
    • SetClipboardData
    • SwitchDesktop
    • TranslateMessage
  • WININET.DLL:
    • HttpSendRequestA
    • HttpSendRequestW
    • HttpSendRequestExA
    • HttpSendRequestExW
    • InternetQueryDataAvailable
    • InternetReadFile
    • InternetReadFileExA
    • InternetReadFileExW
    • InternetCloseHandle
    • InternetWriteFile
  • NSPR4.DLL:
    • PR_Write
    • PR_Read
    • PR_Close
    • PR_OpenTCPSocket
  • SKS2XYZ.DLL:
    • vb_pfx_import
  • FILIALRCON.DLL:
    • RCN_R50Buffer
  • MESPRO.DLL:
    • AddPSEPrivateKeyEx
    • AddSigner
Payload

Lets a hacker access and control your PC

Some variants of Win32/Simda target several Internet banking systems. It contacts the remote command and control (C&C) system and waits for commands from a hacker. In the wild, we've observed Simda targeting Internet banking systems that contain these strings:

  • AGAVA
  • ALPHA
  • BS-CLIENT
  • BSS/BSSS
  • CC
  • COLV
  • CRAIF
  • FAKTURA
  • IBANK
  • INIST
  • INTER-PRO
  • ISB
  • KBP
  • RAIFF
  • RFK
  • RSTYLE
  • SBER
  • VEFK
  • VTB24

It opens a port to let a hacker remotely access your PC by creating the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Sets value: "<port number>:TCP"
With data: "<port number>:TCP"

Where <port number> varies.

Using this backdoor, a hacker can do a number of actions on your PC. For example, a hacker might be able to do any of the following actions:

  • Stop your PC from running by deleting registry keys
  • Force reboot
  • Download and run files from a given URL
  • Upload files
  • Spread to other PCs using differerent ways
  • Log keystrokes or steal sensitive data
  • Change your PC's settings
  • Run or stop applications
  • Delete files

Steals sensitive information

Some Simda variants collect your personal information, including but not limited to the following:

  • User names and passwords that might be stored in your Internet browser folders
  • Logged keystrokes
  • Visited websites/URLs
  • PC certificates
  • Clipboard data
  • Screenshots
  • Information about your PC, like operating system details
  • Private key files

Some variants also go through your Internet Explorer and Opera history files looking for secure sites you have visited, and might:

  • Steal saved passwords from Internet Explorer
  • Steal WinSCP (Windows Secure Copy) stored passwords
  • Decrypt stored data from Opera
  • Get dial-up passwords
  • Create the following files in which to store stolen information:
    • sniff.log
    • keylog.txt
    • pass.log
  • Steal login information pertaining to FTP, NNTP, POP3 and POP2
  • Log your keystrokes
  • Store screenshots to <number>.bmp
  • Store passwords as they are saved

Some variants of Simda periodically check for the existence of the following files and sends the contents back to the C&C server:

  • links.log
  • pws.tx
  • pass.log

Downloads and runs files

Simda's backdoor components might connect to a remote server to provide information about newly-infected PCs.

Once connected to the remote server, Simda receives the configuration information on where to download additional files, and other locations from which to download additional configuration files. Downloaded files are written to the %TEMP% folder. These files might include additional malware.

In the wild, we have observed the following servers being contacted for this purpose:

  • asterixsss.com
  • gusssiss.com
  • orlikssss.com

Tries to log in as administrator

Some Simda variants use various techniques to try to elevate its privileges. It tries to log on as an administrator (if you're not already logged in an an administrator) using the following list of passwords:

  • 098765
  • 110
  • 111
  • 111111
  • 123
  • 1234
  • 12345
  • 123456
  • 12345678
  • 123abc
  • 1982
  • 2007
  • 2013
  • 2207
  • 354
  • 5554
  • 666666
  • 775
  • abc123
  • admin
  • administrator
  • asdfg
  • baseball1
  • blink182
  • chort
  • football1
  • fuckyou
  • help
  • idontknow
  • iloveyou1
  • jordan23
  • liverpool1
  • monkey
  • monkey1
  • myspace1
  • nah
  • pass
  • password
  • password1
  • pop
  • princess1
  • qwe
  • qwer
  • qwert
  • qwerty
  • qwerty1
  • qweryuiopas
  • server
  • slipknot1
  • soccer
  • stone
  • superman1
  • user111
  • xak
  • xakep

If it successfully logs in as an administrator, it will be able to do more actions to further compromise your PC, as it won't be restricted by limited privileges.

Stops processes, and prevents you from visiting certain websites

Some variants of Simda check for the following window class names, and stop any processes they belong to:

  • +f
  • AVP.MainWindow
  • hijackthis
  • Kaspersky Virus Removal Tool 2010
  • Malwarebytes' Anti-Malware
  • random's system information tool - random/random
  • SAM: Autorun Manager

It might also try to stop you from visiting websites with addresses containing any of the following security-related terms:

  • anti-malware
  • antivir
  • avast.com
  • avira
  • comodo.com
  • drweb
  • eset.com
  • kaspersky
  • kltest.org.ru
  • mavast.com
  • trendsecure
  • virusinfo
  • virustotal
  • z-oleg.com

Injects code

If it successfully elevates its privileges, Simda tries to inject a DLL into the process space of winlogon.exe. This DLL is detected as PWS:Win32/Simda. It does this to try and hinder detection and removal.

Exploits vulnerabilities

Win32/Simda tries to exploit the following vulnerabilities to gain elevated privileges:

Additional information

Win32/Simda checks for Internet connectivity by contacting the following websites:

  • bing.com
  • microsoft.com

The retrieved domains are then saved to the following registry entries in an encrypted form, for example:

In subkey: HKLM\Software\Microsoft
Sets value: “m1131
With data: <encrypted URL>

In subkey: HKLM\Software\Microsoft
Sets value: “m1132
With data: <encrypted URL>

In subkey: HKLM\Software\Microsoft
Sets value: “m1133
With data: <encrypted URL>

Win32/Simda might create a mutex to avoid multiple instances of itself running on your PC at any one time, for example:

Global\MicrosoftSysenterGate<N>

where <N> is a digit.

Some variants of Simda might infect a Windows driver file to hide its components and redirect web traffic. The infected driver is detected as Virus:WinNT/Simda.A. Other Simda variants might also, via various DNS hooks (depending on the browser), redirect traffic to google.com.

Analysis by Rex Plantado


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Sets value: "userinit"
    With data: "<malware path and file name>"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "userinit"
    With data: "<malware path and file name>"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "load"
    With data: "<malware path and file name>"

    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Sets value: "run"
    With data: "<malware path and file name>"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "System"
    With data: "<malware path and file name>"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "Userinit"
    With data: "<system folder>\userinit.exe, "<malware path and file name>""

    In subkey: HKLM\Software\Microsoft
    Sets value: “m1131
    With data: <encrypted URL>

    In subkey: HKLM\Software\Microsoft
    Sets value: “m1132
    With data: <encrypted URL>

    In subkey: HKLM\Software\Microsoft
    Sets value: “m1133
    With data: <encrypted URL>


Prevention


Alert level: Severe
This entry was first published on: Sep 06, 2013
This entry was updated on: Sep 15, 2014

This threat is also detected as:
No known aliases