Home / malwarePDF  

Backdoor:Win32/Simda.AT


First posted on 25 November 2014.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Simda.AT.

Explanation :

Threat behavior

Installation

We have seen this threat downloaded by exploits, such as the Fiesta exploit kit.

This threat installs itself in one of the following locations:

  • %APPDATA% \.exe, for example %APPDATA%\iQ3w793.exe
  • %TEMP% \.tmp, for example %TEMP%\A002.tmp


It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: .exe
With data: "%APPDATA%\.exe" opt, for example "%APPDATA%\iQ3w793.exe" opt

If the malware detects it is running in a sandbox or test environment it will either terminate or remain running in memory without doing anything. It avoids running in environments specific to:

  • Anubis
  • CWSandbox
  • JoeBox
  • VMWare


It does this to avoid analysis and detection.

It might not install if any of the following antivirus researcher-related processes are running:

  • Aircrack-ng Gui.exe
  • apis32.exe
  • avp.exe
  • CamRecorder.exe
  • CamtasiaStudio.exe
  • cv.exe
  • DrvLoader.exe
  • dumpcap.exe
  • ERDNT.exe
  • ERUNT.exe
  • EtherD.exe
  • HookExplorer.exe
  • idag.exe
  • irise.exe
  • IrisSvc.exe
  • observer.exe
  • ollydbg.exe
  • EBrowseDbg.exe
  • proc_analyzer.exe
  • Regshot.exe
  • SandboxieDcomLaunch.exe
  • SandboxieRpcSs.exe
  • SbieCtrl.exe
  • SbieSvc.exe
  • sckTool.exe
  • sniff_hit.exe
  • Sniffer.exe
  • SUPERAntiSpyware.exe
  • SymRecv.exe
  • sysAnalyzer.exe
  • Syser.exe
  • tcpdump.exe
  • BoxService.exe
  • VBoxTray.exe
  • windbg.exe
  • WinDump.exe
  • wireshark.exe
  • wspass.exe
  • ZxSniffer.exe


It also checks for the following test environment-related registry entries:

  • AppEvents\Schemes\Apps\Bopup Observer
  • SOFTWARE\APIS32
  • SOFTWARE\B Labs\Bopup Observer
  • Software\Classes\*\shell\sandbox
  • Software\Classes\Folder\shell\sandbox
  • SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
  • SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
  • Software\CommView
  • SOFTWARE\Cygwin
  • Software\eEye Digital Security
  • SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
  • Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
  • Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
  • SOFTWARE\SUPERAntiSpyware.com
  • Software\Syser Soft
  • Software\Win Sniffer
  • SOFTWARE\ZxSniffer
  • SYSTEM\CurrentControlSet\Services\IRIS5
  • SYSTEM\CurrentControlSet\Services\SbieDrv
  • SYSTEM\CurrentControlSet\Services\SDbgMsg
  • SYSTEM\CurrentControlSet\Services\VBoxGuest


Payload

Redirects your search results

The malware adds entries to the hosts file to redirect popular search websites, such as Bing, Google and Facebook. When you use one of these legitimate websites to search, the malware will redirect to its own domain. We have seen this threat redirect searches to the following IP addresses:

  • 85.17.81.55


  • 107.181.187.40



  • 146.0.75.27



If Mozilla Firefox is installed on your PC this threat can create its own MozSearch plugin. It then sets this plugin as the default Mozilla browser toolbar search. When the toolbar search box is used the modified hosts file will redirect it from a legitimate search engine to a malware domain.

Downloads other malware

This threat can connect to a remote host to upload information about your PC. It also receives configuration data, including URLs to connect to and download files, including other malware. The downloaded files are written to the %TEMP% folder. We have seen this threat connect to the following domains:
  • 79.142.66.239
  • 5.149.248.152


Analysis by Jayronn Christian Bucu Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Sets value: .exe
    With data: "%APPDATA%\.exe" opt, for example "%APPDATA%\iQ3w793.exe" opt

Last update 25 November 2014

 

TOP

Malware :

Family: