Home / malwarePDF  

Trojan:Win32/Simda.R


First posted on 25 February 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Simda.R is also known as TR/Spy.5632.23 (Avira), Trojan.Rodricter.1 (Dr.Web), Trojan.Win32.Zapchast (Ikarus), Trojan.Win32.Zapchast.exi (Kaspersky).

Explanation :

Trojan:Win32/Simda.R is a component of Backdoor:Win32/Simda.A that is used to bypass the user account control (UAC) dialog in order to gain administrator privileges on the affected computer.


Top

Trojan:Win32/Simda.R is a component of Backdoor:Win32/Simda.A that is used to bypass the user account control (UAC) dialog in order to gain administrator privileges on the affected computer.

Trojan:Win32/Simda.R is a DLL file written into the %Temp% folder. The name may have the format "%Temp%\SE<random hex>.TMP". It is executed in the context of "explorer.exe", then after has performed its malicious routine, it is deleted.

It successfully creates a COM Elevation Moniker object under "explorer.exe", then transfers the acquired priviledges to the main injector process, Backdoor:Win32/Simda.A.



Analysis by Mihai Calota

Last update 25 February 2012

 

TOP