Home / malware Trojan:WinNT/Simda.gen!A
First posted on 14 March 2012.
Source: MicrosoftAliases :
Trojan:WinNT/Simda.gen!A is also known as Backdoor.Win32.Proxyier.ain (Kaspersky), BDS/Proxyier.ain (Avira), Backdoor.Win32.Proxyier (Ikarus), Generic Proxy!bf (McAfee).
Explanation :
Trojan:WinNT/Simda.gen!A is a kernel-mode driver component of Backdoor:Win32/Simda.A - a multi-component malware family. This component is responsible for hiding the backdoor's other components in the affected computer, as well as for manipulating the user's Internet traffic.
Top
Trojan:WinNT/Simda.gen!A is a kernel-mode driver component of Backdoor:Win32/Simda.A - a multi-component malware family. This component is responsible for hiding the backdoor's other components in the affected computer, as well as for manipulating the user's Internet traffic.
Installation
Trojan:WinNT/Simda.gen!A driver is dropped and loaded by the Backdoor:Win32/Simda.A installer.
Payload
Loads malware components
Trojan:WinNT/Simda.gen!A loads other malware components into system processes, such as "csrss.exe".
It also injects code into the system shell and web browser processes, such as:
- chrome.exe
- explorer.exe
- firefox.exe
- iexplore.exe
Redirects Internet traffic and DNS requests to malicious hosts
Trojan:WinNT/Simda.gen!A has been observed to redirect user traffic to the following IP addresses:
- 100.6.239.84
- 178.250.45.15
- 205.234.236.*
- 209.212.147.141
- 64.125.87.*
- 65.98.83.115
- 66.197.152.*
- 72.30.186.249
- 74.55.76.230
- 75.102.22.*
- 77.125.87.*
- 84.125.87.*
- 87.125.87.*
- 87.248.112.8
- 92.123.68.97
- 92.125.87.*
- 95.211.97.181
- 98.142.243.64
where * is a number from 0 to 255.
Analysis by Sergey Chernyshev
Last update 14 March 2012
