Backdoor.Win32.Simbot_250446c537
Gen:Variant.Kazy.224722 (BitDefender), Backdoor:Win32/Simbot.gen (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Win32.Simbot.ma (v) (VIPRE), Trojan.DownLoad2.36100 (DrWeb), Gen:Variant.Kazy.224722 (B) (Emsisoft), Downloader-FQD!250446C537B1 (McAfee), Downloader (Symantec), Virus.Win32.CeeInject (Ikarus), Gen:Variant.Kazy.224722 (FSecure), Generic20.CJHR (AVG), Win32:Small-NRY [Trj] (Avast), BKDR_VAGOTO.SMA (TrendMicro), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 250446c537b1728ee519d6228dd6d907
SHA1: edefa0372ceccc36dd5e55e9ff57cb8915d91e77
SHA256: a1214b72da64bc9f302d429ea4655b9ec5a02a160eb0a36ca47519c9aed979f6
SSDeep: 384:zdWhOsZwOcfyL01fc0Sm0qFW0fAaZpxPNYP/zltrDroACLzlMsyoKfuqg:zdCOeClH0qyeaTXrAdztQBg
Size: 20992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-11-06 05:06:34
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
regedit.exe:504
250446c537b1728ee519d6228dd6d907.exe:1408
File activity
The process 250446c537b1728ee519d6228dd6d907.exe:1408 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
C:\RCX1.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (48 bytes)
C:\250446c537b1728ee519d6228dd6d907.exe.tmp1 (373 bytes)
The Backdoor deletes the following file(s):
C:\250446c537b1728ee519d6228dd6d907.exe.tmp1 (0 bytes)
Registry activity
The process regedit.exe:504 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 23 4A 5D D2 D1 3C FB 8B DF 52 E7 40 DF 72 C8"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regedit.exe:504
250446c537b1728ee519d6228dd6d907.exe:1408 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
C:\RCX1.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (48 bytes)
C:\250446c537b1728ee519d6228dd6d907.exe.tmp1 (373 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
