Installation
When run, the malware:
- Checks if the trojan is running from the <system folder>. If it isn't running from the system folder, Backdoor:Win32/Simda.A copies itself as <system folder>\<random_number>.exe
- Modifies the following registry entry to execute its copy at Windows start:
In subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
Sets value: "userinit"
With data: "<system folder>\userinit.exe, <system folder>\<random_number>.exe"
- Injects code to the process “svchost.exe”
- Deletes the original executable
Payload
Downloads and executes arbitrary files
Backdoor:Win32/Simda.A connects to a remote host and provides information regarding the newly infected computer.
It then receives the configuration information on where to download additional files, and other locations from which to download additional configuration files. Downloaded files are written to the %TEMP% folder, for example C:\Users\<user name>\AppData\Local\Temp. These files may include additional malware.
In the wild, we have observed the following domains being contacted for this purpose:
- gusssiss.com
- orlikssss.com
- asterixsss.com
Modifies security settings
Backdoor:Win32/Simda.A uses various techniques in an attempt to elevate its privilege. It attempts to log on as Administrator (if the user isn't Admin already) using a list of passwords:
- help
- stone
- server
- pass
- idontknow
- administrator
- admin
- 666666
- 111
- 12345678
- 1234
- soccer
- abc123
- password1
- football1
- fuckyou
- monkey
- iloveyou1
- superman1
- slipknot1
- jordan23
- princess1
- liverpool1
- monkey1
- baseball1
- 123abc
- qwerty1
- blink182
- myspace1
- pop
- user111
- 098765
- qweryuiopas
- qwe
- qwer
- qwert
- qwerty
- asdfg
- chort
- nah
- xak
- xakep
- 111111
- 12345
- 2013
- 2007
- 2207
- 110
- 5554
- 775
- 354
- 1982
- 123
- password
- 123456
Injects code
If successful at privilege escalation, Simda attempts to inject a DLL into the process space of winlogon.exe. This DLL is detected as PWS:Win32/Simda.
Exploits vulnerabilities
Backdoor:Win32/Simda.A also attempts to exploit the following vulnerabilities in order to assist in gaining elevated privileges:
Additional information
The retrieved domains are then saved to the following registry entries in an encrypted form, for example:
In subkey: HKLM\Software\Microsoft
Sets value: “m1131”
With data: <encrypted URL>
In subkey: HKLM\Software\Microsoft
Sets value: “m1132”
With data: <encrypted URL>
In subkey: HKLM\Software\Microsoft
Sets value: “m1133”
With data: <encrypted URL>
Analysis by Matt McCormack
