PWS:Win32/Simda.A is a family of password-stealing trojans that may also allow backdoor access and control to an affected computer. Its main purpose is to steal passwords and system information from a user's machine.
Installation
PWS:Win32/Simda.A is a DLL which is injected into the winlogon.exe or explorer.exe processes by Backdoor:Win32/Simda.A.
Payload
Allows backdoor access and control
PWS:Win32/Simda.A creates the following registry entry in order to allow remote access to a local port:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Sets value: "<port number>:TCP"
With data: "<port number>:tcp"
Where <port number> varies.
PWS:Win32/Simda.A contacts a remote host at mesosalpinx.com, listens on port <port number> and waits for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
- Disable the infected system by deleting critical registry keys
- Force reboot
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
Steals sensitive information
PWS:Win32/Simda.A is used to obtain sensitive information from the affected computer, and as such, may:
- Monitor and copy clipboard data whenever text is copied to the clipboard
- Log keystrokes via GetMessage API hook
- Store URLs and window titles for all URLs visited by every process
- Parse Internet browser traffic for user names and passwords via API hooks
- Steal certificates
PWS:Win32/Simda.A periodically checks for the existence of the following files and sends the contents back to the home domain:
The malware parses Internet Explorer and Opera history files looking for secure sites the user has visited.
PWS:Win32/Simda.A has also been observed:
- Stealing autocomplete saved passwords from Internet Explorer
- Stealing WinSCP (Windows Secure Copy) stored session passwords
- Decrypting stored data from Opera
- Obtaining dial-up passwords
- Creating the following files:
- sniff.log
- keylog.txt
- pass.log
- Holding intercepted plain text traffic login information pertaining to FTP, NNTP, POP3 and POP2
- Key-logging data
- Storing screenshots to <number>.bmp
- Storing passwords as they are saved
- Storing window text for certain windows
Once loaded, PWS:Win32/Simda.A attempts to inject itself into the following processes, if they are running on the computer:
- svchost.exe
- iexplore.exe
- java.exe
- javaw.exe
- javaws.exe
- opera.exe
- firefox.exe
- maxthon.exe
- avant.exe
- mnp.exe
- safari.exe
- explorer.exe
- isclient.exe
- intpro.exe
- loadmain.exe
- core.exe
- clmain.exe
- core.exe
- safari.exe
Once loaded inside a process, one or more of the following APIs may be hooked:
- AddPSEPrivateKeyEx
- CreateFileW
- CryptEncrypt
- DnsQuery_A
- DnsQuery_UTF8
- DnsQuery_W
- GetClipboardData
- GetFileAttributesExW
- GetFileAttributesW
- GetMessageA
- GetMessageW
- GetWindowTextA
- HttpSendRequestA
- HttpSendRequestExA
- HttpSendRequestExW
- HttpSendRequestW
- InternetCloseHandle
- InternetQueryDataAvailable
- InternetReadFile
- InternetReadFileExA
- InternetReadFileExW
- InternetWriteFile
- InternetWriteFile_0
- PR_Close
- PR_OpenTCPSocket
- PR_Read
- PR_Write
- Query_Main
- RCN_R50Buffer
- TranslateMessage
- WSARecv
- WSASend
- getaddrinfo
- gethostbyname
- inet_addr
- recv
- send
- vb_pfx_import
These APIs are hooked in order to intercept Internet traffic and strip sensitive information from it.
Terminates processes
PWS:Win32/Simda.A checks for the following window class names, and terminates any processes they belong to:
- random's system information tool - random/random
- +f
- AVP.MainWindow
- Kaspersky Virus Removal Tool 2010
- Malwarebytes' Anti-Malware
- SAM: Autorun Manager
- hijackthis
The malware also blocks traffic to the following websites:
- avast.com
- kaspersky
- drweb
- eset.com
- antivir
- avira
- virustotal
- virusinfo
- z-oleg.com
- trendsecure
- anti-malware
PWS:Win32/Simda.A may also, via various DNS hooks (depending on browser), redirect traffic to google.com.
Additional information
The malware creates the following mutex:
- Global\{722E3A61-883B-4144-BA81-1F965879E5C9}
Analysis by Matt McCormack