Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Win32/Sinowal

Published: September 12, 2006

Win32/Sinowal is a family of password-stealing and backdoor Trojans. The Trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions. The Trojan may also capture user data such as banking credentials from various user accounts and send the data to Web sites specified by the attacker. Some Win32/Sinowal components may also open a backdoor on a TCP port. Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.

**

Related Links

Removal Tools - Microsoft

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
How to Recover from InfectionHow to Recover from Infection
Payload InformationPayload Information

Threat Overview

Class/typeTrojan - Backdoor
Trojan - Data Theft
DiscoveredOctober 13, 2005
CirculatingYes
Affected operating systemsWindows NT 4.0
Windows 95
Windows 2000
Windows XP
Windows Server 2003
Windows ME
Windows 98
Affected software Not specified
Infection ratingLow
Recovery difficultyModerate
Damage ratingMedium
Transmission ratingLow

Technical Analysis

When the Win32/Sinowal Trojan is installed, it may search the infected computer for a cryptographic certificate with a corresponding private key. If it finds such a certificate, the Trojan may install a certificate on the computer without user authorization by intercepting certain Windows API function calls. The installation and use of this certificate is intended to mislead users in Secure Sockets Layer (SSL) Web transactions.
 
Win32/Sinowal may also steal user names and passwords for e-mail accounts. It may steal FTP and HTTP client account credentials as well, in particular for online banking Web sites. The Trojan can then upload captured account credentials to Web sites specified by the attacker. Variants of some Win32/Sinowal components may also open a backdoor on a randomly-selected TCP port.
 
Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.

How to Prevent Infection

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect your computer from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from various sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

Use caution with attachments and file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

How to Tell If Your Computer Is Infected

Symptoms of a Win32/Sinowal installation may differ according to the particular variant.

How to Recover from Infection

Automatic Recovery
To attempt to automatically remove this threat, run one of the following removal tools:

Payload Information

Payload typeTriggerDescription
Compromises Security
Execution
  • May install a cryptographic certificate to mislead users in SSL transactions
  • May open a backdoor on a randomly-selected TCP port
Release information
Execution
May capture confidential information from various user accounts and release it to the attacker

© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement