Home / malware Backdoor:Win32/Simda.AT
First posted on 25 November 2014.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Simda.AT.
Explanation :
Threat behavior
Installation
We have seen this threat downloaded by exploits, such as the Fiesta exploit kit.
This threat installs itself in one of the following locations:
- %APPDATA% \
.exe, for example %APPDATA%\iQ3w793.exe - %TEMP% \
.tmp, for example %TEMP%\A002.tmp
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value:.exe
With data: "%APPDATA%\.exe" opt, for example "%APPDATA%\iQ3w793.exe" opt
If the malware detects it is running in a sandbox or test environment it will either terminate or remain running in memory without doing anything. It avoids running in environments specific to:
- Anubis
- CWSandbox
- JoeBox
- VMWare
It does this to avoid analysis and detection.
It might not install if any of the following antivirus researcher-related processes are running:
- Aircrack-ng Gui.exe
- apis32.exe
- avp.exe
- CamRecorder.exe
- CamtasiaStudio.exe
- cv.exe
- DrvLoader.exe
- dumpcap.exe
- ERDNT.exe
- ERUNT.exe
- EtherD.exe
- HookExplorer.exe
- idag.exe
- irise.exe
- IrisSvc.exe
- observer.exe
- ollydbg.exe
- EBrowseDbg.exe
- proc_analyzer.exe
- Regshot.exe
- SandboxieDcomLaunch.exe
- SandboxieRpcSs.exe
- SbieCtrl.exe
- SbieSvc.exe
- sckTool.exe
- sniff_hit.exe
- Sniffer.exe
- SUPERAntiSpyware.exe
- SymRecv.exe
- sysAnalyzer.exe
- Syser.exe
- tcpdump.exe
- BoxService.exe
- VBoxTray.exe
- windbg.exe
- WinDump.exe
- wireshark.exe
- wspass.exe
- ZxSniffer.exe
It also checks for the following test environment-related registry entries:
- AppEvents\Schemes\Apps\Bopup Observer
- SOFTWARE\APIS32
- SOFTWARE\B Labs\Bopup Observer
- Software\Classes\*\shell\sandbox
- Software\Classes\Folder\shell\sandbox
- SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
- SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
- Software\CommView
- SOFTWARE\Cygwin
- Software\eEye Digital Security
- SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
- Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
- Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
- SOFTWARE\SUPERAntiSpyware.com
- Software\Syser Soft
- Software\Win Sniffer
- SOFTWARE\ZxSniffer
- SYSTEM\CurrentControlSet\Services\IRIS5
- SYSTEM\CurrentControlSet\Services\SbieDrv
- SYSTEM\CurrentControlSet\Services\SDbgMsg
- SYSTEM\CurrentControlSet\Services\VBoxGuest
Payload
Redirects your search results
The malware adds entries to the hosts file to redirect popular search websites, such as Bing, Google and Facebook. When you use one of these legitimate websites to search, the malware will redirect to its own domain. We have seen this threat redirect searches to the following IP addresses:
- 85.17.81.55
107.181.187.40
146.0.75.27
If Mozilla Firefox is installed on your PC this threat can create its own MozSearch plugin. It then sets this plugin as the default Mozilla browser toolbar search. When the toolbar search box is used the modified hosts file will redirect it from a legitimate search engine to a malware domain.
Downloads other malware
This threat can connect to a remote host to upload information about your PC. It also receives configuration data, including URLs to connect to and download files, including other malware. The downloaded files are written to the %TEMP% folder. We have seen this threat connect to the following domains:
- 79.142.66.239
- 5.149.248.152
Analysis by Jayronn Christian Bucu Symptoms
The following can indicate that you have this threat on your PC:
- You see these entries or keys in your registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value:.exe
With data: "%APPDATA%\.exe" opt, for example "%APPDATA%\iQ3w793.exe" opt Last update 25 November 2014