Backdoor.Win32.Simbot_250446c537

by malwarelabrobot on October 14th, 2013 in Malware Descriptions.

Gen:Variant.Kazy.224722 (BitDefender), Backdoor:Win32/Simbot.gen (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Win32.Simbot.ma (v) (VIPRE), Trojan.DownLoad2.36100 (DrWeb), Gen:Variant.Kazy.224722 (B) (Emsisoft), Downloader-FQD!250446C537B1 (McAfee), Downloader (Symantec), Virus.Win32.CeeInject (Ikarus), Gen:Variant.Kazy.224722 (FSecure), Generic20.CJHR (AVG), Win32:Small-NRY [Trj] (Avast), BKDR_VAGOTO.SMA (TrendMicro), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 250446c537b1728ee519d6228dd6d907
SHA1: edefa0372ceccc36dd5e55e9ff57cb8915d91e77
SHA256: a1214b72da64bc9f302d429ea4655b9ec5a02a160eb0a36ca47519c9aed979f6
SSDeep: 384:zdWhOsZwOcfyL01fc0Sm0qFW0fAaZpxPNYP/zltrDroACLzlMsyoKfuqg:zdCOeClH0qyeaTXrAdztQBg
Size: 20992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-11-06 05:06:34


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

regedit.exe:504
250446c537b1728ee519d6228dd6d907.exe:1408

File activity

The process 250446c537b1728ee519d6228dd6d907.exe:1408 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
C:\RCX1.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\250446c537b1728ee519d6228dd6d907.exe.tmp1 (373 bytes)

The Backdoor deletes the following file(s):

C:\250446c537b1728ee519d6228dd6d907.exe.tmp1 (0 bytes)

Registry activity

The process regedit.exe:504 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 23 4A 5D D2 D1 3C FB 8B DF 52 E7 40 DF 72 C8"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regedit.exe:504
    250446c537b1728ee519d6228dd6d907.exe:1408

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
    C:\RCX1.tmp (23552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
    C:\250446c537b1728ee519d6228dd6d907.exe.tmp1 (373 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.