Home / malware Trojan:Win64/Simda.A
First posted on 25 February 2012.
Source: MicrosoftAliases :
Trojan:Win64/Simda.A is also known as Backdoor.Win32.Proxyier.c (Kaspersky), TR/Simda.A.247 (Avira), Trojan.Rodricter.1 (Dr.Web).
Explanation :
Trojan:Win64/Simda.A is a 64-bit component of Backdoor:Win32/Simda.A. This component is responsible for elevating privileges in a 64-bit environment. It allows the main backdoor code to perform file system operations that require elevated permissions without displaying a security warning via user account control (UAC).
Top
Trojan:Win64/Simda.A is a 64-bit component of Backdoor:Win32/Simda.A. This component is responsible for elevating privileges in a 64-bit environment. It allows the main backdoor code to perform file system operations that require elevated permissions without displaying a security warning via user account control (UAC).
Installation
Trojan:Win64/Simda.A is created as a separate process by the Backdoor:Win32/Simda.A installer.
Payload
Drops other malware
Trojan:Win64/Simda.A drops another 64-bit DLL file to disk and injects it into the "explorer.exe" process, which runs with administrative privileges and thus does not require user account control (UAC).
The injected DLL file is detected as Trojan:Win64/Simda.B and is responsible for the creation of an elevated COM object (COM Elevation Moniker), which is then used to perform file operations in the protected system folders. The injected DLL file is then deleted from disk after it has performed its malicious routine.
Analysis by Sergey Chernyshev
Last update 25 February 2012
