Trojan:Win32/Simda.N is a trojan that allows backdoor access and control. It also lowers security settings and modifies system settings.
Installation
Trojan:Win32/Simda.N drops itself in the Windows system folder using a random file name. Some of the file names it has been known to use are:
It modifies the system registry to ensure that it automatically runs every time Windows starts, for example:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe,<system folder>\iyeknw.exe,"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "<system folder>\userinit.exe,<system folder>\gjlvsq.exe,"
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Trojan:Win32/Simda.N may inject code into the following process:
Payload
Allows backdoor access and control
Trojan:Win32/Simda.N may contact a remote server without the user's knowledge. It may receive various commands from this remote server to perform certain actions, such as the following:
-
Send information about the computer
-
Send logged keystrokes
-
Download and execute arbitrary files
-
End arbitrary processes
A server that it is known to connect to in the wild is:
Lowers security settings
Trojan:Win32/Simda.N attempts to lower the computer's firewall settings by running the following command:
netsh firewall set allowedprogram <system folder>\services.exe services ENABLE
It may also attempt to interfere with the functionality of the following programs:
-
AVG Antivirus
-
Avira
-
CA's Host Instrusion Prevention System
-
Windows Defender
Modifies system settings
Trojan:Win32/Simda.N may try to reset the computer's current System Restore point so that restoring the computer using System Restore may load an already infected state, one in which the malware already exists.
It may also modify the routing table to prevent the computer from connecting to various network addresses.
Analysis by Andrei Florin Saygo
