Backdoor Simda is known for about 3 years. Recently a new major outbreak occurred. The new variant of the backdoor is downloaded from certain sites containing video. The frames in the video propose to download new version of Flash Player able to play a movie in newer flash format. The backdoor executable is downloaded and executed by the user and infects the computer. The URLs containing fake installer are randomly generated and look like http://www.d9k98dje89fe2f.4ku.com
The executable has icon of Shockwave Flash or Youtube and are 750K-820K of size, randomly generated company info and legal copyright statements. They are written using encryption engine. When decrypted, the malware code verifies whether it runs in virtual environment and it does not continue if such environment is found, otherwise it injects a malicious code into svchost.exe ,copies itself to %appdata%\ScanDisc.exe and deletes itself from the original location.
The backdoor continues to run in the context of the infected svchost.exe.
While installing, it displays fake message box proposing to update Flash Player, the message box is stored in the executable as a bitmap.
The backdoor attempts to stop a number of processes associated with antivirus, debugging and monitoring software. It collects information from the computer and sends to the attacker, downloads configuration files, downloads and runs additional executables according to its configuration file.
The backdoor redirects browser search to http://findgala.com.
The URL used by the attacker in the latest variants is report.sk1<random digits and characters>.com
Leave a reply
