BKDR_SIMDA.SS

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.

It prevents users from visiting antivirus-related websites that contain specific strings.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %Windows%\AppPatch\{random}.dat

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It injects itself into the following processes running in the affected system's memory:

• winlogon.exe
• explorer.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• B0B2D5C3a

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
b0b2d6e3 = "%Windows%\AppPatch\{random}.dat"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%Windows%\AppPatch\{random}.dat,"

(Note: The default value data of the said registry entry is "%System%\userinit.exe,".)

Other System Modifications

This backdoor creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:Windows Explorer"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Disable operating system by modifying or deleting system files
• Activate/deactivate itself
• Inject scripts to a visited webpage
• Disable the infected system by deleting critical registry keys
• Download and execute arbitrary files
• Download updated configuration file
• Upload files
• Run or terminate applications
• Delete files
• Modify system settings
• Steal certificates

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}.com/login.php

Dropping Routine

This backdoor drops the following file(s), which it uses for its keylogging routine:

• %User Profile%\Application Data\{random}
• %User Profile%\Application Data\{random1}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Information Theft

This backdoor attempts to steal information from the following banks and/or other financial institutions:

• IBANK
• ebank.laiki.com
• w.qiwi.ru
• login.yota.ru

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• www.bing.com
• www.microsoft.com

It closes application windows that contain the following strings in the title bar:

• ____AVP.Root

It prevents users from visiting antivirus-related websites that contain the following strings:

• avast.com
• kaspersky
• drweb
• eset.com
• antivir
• avira
• virustotal
• virusinfo
• z-oleg.com
• trendsecure
• anti-malware
• .comodo.com

NOTES:

It terminates itself if the system's username is any of the following:

• SANDBOX
• MALNETVM
• VIRUSCLONE

It also terminates itself if the following folders are present in the system:

• \sand-box\
• \cwsandbox\
• \sandbox\

It terminates AV related processes by:

For CA HIPS, it sends control code to the product’s driver:

• \\.\KmxAgent

For AVG, it renames the following files:

• %Program Files%\AVG\AVG9\dfncfg.dat to %Program Files%\AVG\AVG9\dfmcfg.dat%

For Prevx, it modifies the following files:

• %System Root%\Documents and Settings\All Users\Application Data\PrevxCSI\csidb.csi

It changes to Windows Defender status by modifying the following files:

• %Program Files%\Windows Defender\MpClient.dll

It attempts to log on to the system as Administrator (if not yet Administrator) by using the following passwords:

• -help
• stone
• server
• idontknow
• administrator
• admin
• 666666
• 12345678
• soccer
• abc123
• password1
• football1
• fuckyou
• monkey
• iloveyou1
• superman1
• slipknot1
• jordan23
• princess1
• liverpool1
• monkey1
• baseball1
• 123abc
• qwerty1
• blink182
• myspace1
• user111
• 098765
• qweryuiopas
• qwert
• qwerty
• asdfg
• chort
• xakep
• 111111
• 12345
• password
• 123456

When this malware is already injected in winlogon.exe or explorer.exe, it tries to inject itself on the folllowing processes:

• iexplore.exe
• opera.exe
• java.exe
• javaw.exe
• explorer.exe
• isclient.exe
• intpro.exe
• ipc_full.exe
• mnp.exe
• cbsmain.dll
• firefox.exe
• clmain.exe
• core.exe
• maxthon.exe
• avant.exe
• safari.exe
• svchost.exe
• chrome.exe
• notepad.exe
• rundll32.exe
• netscape.exe
• tbb-firefox.exe
• frd.exe

It uses the following referrer when connecting to its C&C server:

• http://www.google.com