BKDR_SIMBOT


 ALIASES:

Dorifel

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware

SIMBOT is a backdoor family that accesses certain remote servers in order to receive commands from a remote attacker. The following are the executed commands on the affected system:

  • Download and executes files
  • Execute a DOS command sent by the remote user
  • Send an encrypted copy of the content of a specified file to its C&C server
  • Sleep for a specified amount of time

It also checks if there are registry keys related to security applications. It does this to avoid detection and easy removal.

  TECHNICAL DETAILS

Memory Resident:

Yes

Installation

This backdoor drops the following files:

  • %User Profile%\ntuser.cfg
  • %User Temp%\{random}.tmp

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %User Profile%\Local Settings\{random}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%User Profile%\Local Settings\{random}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
NTUCF = "rundll32 %User Profile%\ntuser.cfg,Config"

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{C&C}:443/{random characters}.php?id={random}
  • http://{C&C}:80/{random characters}.php?id={random}
  • {BLOCKED}.{BLOCKED}.206.150:80
  • http://vmompq.{BLOCKED}Z.info/apps/fc.asp
  • http://vmompq.{BLOCKED}Z.info/apps/dw.html