Threat behavior
PWS:Win32/Sinowal.gen!C is a component of the greater Win32/Sinowal family.
Win32/Sinowal is a family of password-stealing and backdoor trojans. These trojans may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions. Some Win32/Sinowal components may also use advanced stealth functionality, or try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.
Payload
Steals Sensitive Data/ Provides Advanced Stealth/Backdoor Functionality
Components generically detected as PWS:Win32/Sinowal.gen!C may differ in the functionality that they provide for this multi-component family. In the wild they have been observed to provide password stealing functionality, allowing them to steal sensitive data; or advanced stealth functionality, allowing them to avoid detection and hide their components from affected users. When behaving in this fashion, this component also provides backdoor functionality that allows a remote attacker to access and control the affected machine.
For more information on Sinowal's advanced stealth functionality, including its novel use of MBR modification, please see the
VirTool:WinNT/Sinowal.A description elsewhere in our encyclopedia. This feature of this family was novel enough to receive media interest in early 2008 (although it appears from our investigation that this functionality may have been in use for a couple of months prior to this discovery).
Prevention