BKDR_SIMDA.EP

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

• %Application Data%\{random name}.reg
• %Application Data%\mcp.ico
• %Desktop%\Computer.lnk
• %User Temp%\{random name}.sys
• %User Temp%\{random name}.exe
• %User Temp%\{random number}.tmp
• %User Temp%\{random name}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %Application Data%\ScanDisc.exe
• %Application Data%\{random name}.exe
• %User Temp%\{random number}.tmp

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{random name} = "%Application Data%\{random name}.exe"

Other System Modifications

This backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorUser = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = "0"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows
update = "shortcut"

Download Routine

This backdoor accesses the following websites to download files:

• http://{BLOCKED}1.{BLOCKED}string.com/?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3
• http://{BLOCKED}1.{BLOCKED}string.com/update_c1eec.exe

Other Details

This backdoor connects to the following possibly malicious URL:

• report.{pseudorandom}.com
• update.{pseudorandom}.com
• {BLOCKED}.{BLOCKED}.131.125

It checks for the presence of the following process(es):

• cv.exe
• irise.exe
• IrisSvc.exe
• wireshark.exe
• dumpcap.exe
• ZxSniffer.exe
• Aircrack-ng Gui.exe
• observer.exe
• tcpdump.exe
• WinDump.exe
• wspass.exe
• Regshot.exe
• ollydbg.exe
• PEBrowseDbg.exe
• windbg.exe
• DrvLoader.exe
• SymRecv.exe
• Syser.exe
• apis32.exe
• VBoxService.exe
• VBoxTray.exe
• SbieSvc.exe
• SbieCtrl.exe
• SandboxieRpcSs.exe
• SandboxieDcomLaunch.exe
• SUPERAntiSpyware.exe
• ERUNT.exe
• ERDNT.exe
• EtherD.exe
• Sniffer.exe
• CamtasiaStudio.exe
• CamRecorder.exe

It deletes the initially executed copy of itself

NOTES:

If the said processes are found, it will not continue to perform its intended routine.

It also attempts to open the file %System Root%\cgvi5r6i\vgdgfd.72g.

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.）