Home / malwarePDF  

PWS:Win32/Simda.AF


First posted on 21 November 2012.
Source: Microsoft

Aliases :

PWS:Win32/Simda.AF is also known as Backdoor/Win32.Shiz (AhnLab), Backdoor.Win32.Shiz.ggcb (Kaspersky), TR/Kazy.93325.5 (Avira), Trojan.PWS.Ibank.456 (Dr.Web), Win32/Spy.Shiz.NCF trojan (ESET).

Explanation :



PWS:Win32/Simda.AF is a password-stealing trojan that may also allow backdoor access and control of your computer. Its main purpose is to steal passwords and system information from your computer.



Installation

When run, PWS:Win32/Simda.AF copies itself with random file name to the "%windir%\AppPatch" folder.

It creates the following registry entries to make sure that its copy runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "userinit"
With data: "%windir%\AppPatch\<random name>.exe"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "run"
With data: "%windir%\AppPatch\<random name>.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "load"
With data: "%windir%\AppPatch\<random name>.exe"

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "System"
With data: "%windir%\AppPatch\<random name>.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "userinit"
With data: "c:\windows\system32\userinit.exe,%windir%\AppPatch\<random name>.exe,"

It also creates the following mutex to make sure only one instance of itself is running in your computer:

Global\MicrosoftSysenterGate7



Payload

Allows backdoor access and control

PWS:Win32/Simda.AF attempts to connect to certain servers to wait for commands. The following are examples of servers that it attempts to connect to:

  • cihunemyror.eu
  • vofozymufok.eu
  • digivehusyd.eu
  • fodakyhijyv.eu
  • gatedyhavyd.eu
  • rynazuqihoj.eu
  • kemocujufys.eu
  • nopegymozow.eu
  • divywysigud.eu
  • jewuqyjywyv.eu
  • marytymenok.eu
  • dikoniwudim.eu
  • jepororyrih.eu
  • qetoqolusex.eu
  • nofyjikoxex.eu


Using this backdoor access, an attacker can perform several actions on your computer, including the following:

  • Download and upload files
  • Delete files and registry entries
  • Restart your computer
  • Start and stop applications
  • Log keystrokes
  • Modify your computer's settings


Steals information

PWS:Win32/Simda.AF has been observed to steal the following information, which it sends to a remote server:

  • List of all currently running processes
  • Internet Explorer, Opera, and Firefox history of visited websites
  • Window titles of and URLs visited by every process
  • FTP user names and passwords
  • Network packets
  • Autocomplete passwords
  • Dial-up passwords
  • Logged keystrokes
  • Plain text traffic information pertaining to FTP, NNTP, POP3, and POP2 protocols
  • Computer information, such as your user name, computer name, hardware information, and network information


It may store its stolen information in files that have the following names:

  • keylog.txt
  • links.log
  • pass.log
  • passwords.txt
  • sniff.log
  • sysinfo.log


Once loaded, PWS:Win32/Simda.AF attempts to inject itself into the following processes if they are running in your computer:

  • svchost.exe
  • opera.exe
  • iscc.exe
  • clmain.exe
  • wclnt.exe
  • chrome.exe
  • core.exe
  • iexplore.exe
  • firefox.exe
  • explorer.exe


Depending on the process, it injects itself either as part of its information stealing process, to stay resident in memory, or to hide itself from other processes.

It also tries to hook the following APIs as part of its information stealing routines:

  • AddPSEPrivateKeyEx
  • AddSigner
  • CallWindowProcA
  • CallWindowProcW
  • CloseClipboard
  • CountClipboardFormats
  • CreateFileW
  • DefDlgProcA
  • DefDlgProcW
  • DefFrameProcA
  • DefFrameProcW
  • DefMDIChildProcA
  • DefMDIChildProcW
  • DefWindowProcA
  • DefWindowProcW
  • DnsQuery_A
  • DnsQuery_UTF8
  • DnsQuery_W
  • EmptyClipboard
  • FlashWindow
  • FlashWindowEx
  • GetCapture
  • GetClipboardData
  • GetCursorPos
  • GetFileAttributesW
  • gethostbyname
  • GetMessageA
  • GetMessagePos
  • GetMessageW
  • GetPriorityClipboardFormat
  • GetUpdatedClipboardFormats
  • GetWindowTextA
  • HttpSendRequestA
  • HttpSendRequestExA
  • HttpSendRequestExW
  • HttpSendRequestW
  • InternetCloseHandle
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetReadFileExA
  • InternetReadFileExW
  • IsClipboardFormatAvailable
  • MessageBeep
  • OpenDesktopA
  • OpenDesktopW
  • OpenInputDesktop
  • PeekMessageA
  • PeekMessageW
  • PlaySoundA
  • PlaySoundW
  • PR_Close
  • PR_GetError
  • PR_GetNameForIdentity
  • PR_OpenTCPSocket
  • PR_Read
  • PR_SetError
  • PR_Write
  • Query_Main
  • RCN_R50Buffer
  • recv
  • ReleaseCapture
  • send
  • SendInput
  • SetCapture
  • SetClipboardData
  • SetCursorPos
  • SetDIBitsToDevice
  • SetThreadDesktop
  • sndPlaySoundA
  • sndPlaySoundW
  • SSL_write
  • SwitchDesktop
  • TrackPopupMenuEx
  • TranslateMessage
  • vb_pfx_import
  • WSARecv
  • WSASend
  • ZwQuerySystemInformation


Blocks access to certain websites

PWS:Win32/Simda.AF checks the URL of websites you visit if they contain any of the following strings:

  • .comodo.com
  • 93.191.13.100
  • anti-malware
  • antivir
  • avast.com
  • avira
  • drweb
  • eset.com
  • kaspersky
  • kltest.org.ru
  • trendsecure
  • virusinfo
  • virustotal
  • z-oleg.com


If it finds that you are visiting websites that contain any of these strings, it may redirect you to "google.com".



Analysis by Jonathan San Jose

Last update 21 November 2012

 

TOP