Home / malwarePDF  

Backdoor:Win32/Simda.F


First posted on 11 January 2012.
Source: Microsoft

Aliases :

Backdoor:Win32/Simda.F is also known as Win-Trojan/Downloader.408576.F (AhnLab), W32/Obfuscated_Q.DP (Norman), Backdoor.Proxyier!oKoYth28B2k (VirusBuster), Trojan horse Downloader.Generic12.ALOL (AVG), TR/Crypt.XPACK.Gen (Avira).

Explanation :

Backdoor:Win32/Simda.F is a backdoor that allows unauthorized access and control of an affected computer.


Top

Backdoor:Win32/Simda.F is a backdoor that allows unauthorized access and control of an affected computer.



Installation

On execution, Backdoor:Win32/Simda.F makes the following changes to the registry to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\RunOnce
Sets value: "<random filename>"
With data: Documents and Settings\<username>\%appdata%\<random filename>.exe

It also modifies the affected computer system's security settings by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "ConsentPromptBehaviorAdmin"
With data: dword:0
Sets value: "ConsentPromptBehaviorUser"
With data: dword:0
Sets value: "EnableLUA"
With data: dword:0



Payload

Allows backdoor access and control

Backdoor:Win32/Simda.F allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using this backdoor. In the wild, we have observed Backdoor:Win32/Simda.F performing the following actions:

  • Creating a command shell
  • Running applications and processes
  • Downloading and executing arbitrary files


Downloads arbitrary files

Backdoor:Win32/Simda.F downloads files from the following URL, then saves it to a temporary folder with a random file name:

update1.thebestjusecurity.in/?abbr=VCP&pid=6&action=download&setupType=vdc&setupFileName=msproc.exe&ttl=42a6c0a5d15

Modify hosts file

Backdoor:Win32/Simda.F modifies the WindowsHosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).

In the wild, we have observed Backdoor:Win32/Simda.F redirecting the following:

  • ad-emea.doubleclick.net to 64.125.87.101
  • au.search.yahoo.com to 87.248.112.8
  • ca.search.yahoo.com to 100.6.239.84
  • de.search.yahoo.com to 87.248.112.8
  • fr.search.yahoo.com to 87.248.112.8
  • google.be to 77.125.87.148
  • google.ca to 77.125.87.152
  • google.ch to 77.125.87.155
  • google.co.jp to 92.125.87.103
  • google.co.nz to 84.125.87.103
  • google.co.uk to 64.125.87.103
  • google.co.za to 64.125.87.103
  • google.com to 87.125.87.103
  • google.com.au to 87.125.87.104
  • google.com.br to 77.125.87.109
  • google.de to 77.125.87.160
  • google.dk to 92.125.87.123
  • google.fr to 92.125.87.154
  • google.ie to 92.125.87.170
  • google.it to 92.125.87.173
  • google.nl to 84.125.87.103
  • google.no to 84.125.87.103
  • google.pl to 84.125.87.103
  • google.se to 64.125.87.103
  • search.yahoo.com to 72.30.186.249
  • uk.search.yahoo.com to 87.248.112.8
  • www.bing.com to 92.123.68.97
  • www.google-analytics.com to 64.125.87.101
  • www.google.be to 77.125.87.149
  • www.google.ca to 77.125.87.153
  • www.google.ch to 77.125.87.158
  • www.google.co.jp to 84.125.87.147
  • www.google.co.nz to 84.125.87.147
  • www.google.co.uk to 64.125.87.147
  • www.google.co.za to 64.125.87.147
  • www.google.com to 87.125.87.99
  • www.google.com.au to 87.125.87.147
  • www.google.com.br to 77.125.87.150
  • www.google.de to 77.125.87.161
  • www.google.dk to 92.125.87.160
  • www.google.fr to 92.125.87.134
  • www.google.ie to 92.125.87.177
  • www.google.it to 92.125.87.147
  • www.google.nl to 84.125.87.147
  • www.google.no to 84.125.87.147
  • www.google.pl to 64.125.87.147
  • www.google.se to 64.125.87.147
  • www.search.yahoo.com to 72.30.186.249
  • www.statcounter.com to 64.125.87.101



    Analysis by Fang Fang

Last update 11 January 2012

 

TOP