Home / malwarePDF  

Trojan:Win32/Simda.N


First posted on 23 October 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Simda.N is also known as Backdoor.Win32.Shiz.acs (Kaspersky), TrojanSpy.Shiz.ALT (VirusBuster), Trojan.PWS.Ibank.213 (Dr.Web), Win32/Spy.Shiz.NAL (ESET), Backdoor.Win32.Shiz (Ikarus), W32/RAHack (McAfee), W32.Rahack.W (Symantec), WORM_ALLAPLE.IK (Trend Micro).

Explanation :

Trojan:Win32/Simda.N is a trojan that allows backdoor access and control. It also lowers security settings and modifies system settings.
Top

Trojan:Win32/Simda.N is a trojan that allows backdoor access and control. It also lowers security settings and modifies system settings. Installation Trojan:Win32/Simda.N drops itself in the Windows system folder using a random file name. Some of the file names it has been known to use are:

  • iyeknw.exe
  • gjlvsq.exe
    • It modifies the system registry to ensure that it automatically runs every time Windows starts, for example: In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Sets value: "Userinit" With subkey: "<system folder>\userinit.exe,<system folder>\iyeknw.exe," In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Sets value: "Userinit" With subkey: "<system folder>\userinit.exe,<system folder>\gjlvsq.exe," Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Trojan:Win32/Simda.N may inject code into the following process:
  • services.exe
    • Payload Allows backdoor access and control Trojan:Win32/Simda.N may contact a remote server without the user's knowledge. It may receive various commands from this remote server to perform certain actions, such as the following:
  • send information about the computer
  • send logged keystrokes
  • download and execute arbitrary files
  • end arbitrary processes
    • A server that it is known to connect to in the wild is:
  • 5elen.net
    • Lowers security settings Trojan:Win32/Simda.N attempts to lower the computer's firewall settings by running the following command: netsh firewall set allowedprogram <system folder>\services.exe services ENABLE It may also attempt to interfere with the functionality of the following programs:
  • AVG Antivirus
  • Avira
  • CA's Host Instrusion Prevention System
  • Windows Defender
    • Modifies system settings Trojan:Win32/Simda.N may try to reset the computer's current System Restore point so that restoring the computer using System Restore may load an already infected state, one in which the malware already exists. It may also modify the routing table to prevent the computer from connecting to various network addresses.

    Analysis by Andrei Florin Saygo

    Last update 23 October 2010

     

    TOP

    Malware :

    Family: