Microsoft security software detects and removes this threat.
This family of password-stealing and backdoor trojans can steal your sensitive informations, such as your user names and passwords for banking websites. 

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

When the Win32/Sinowal Trojan is installed, it may search the infected computer for a cryptographic certificate with a corresponding private key. If it finds such a certificate, the Trojan may install a certificate on the computer without user authorization by intercepting certain Windows API function calls. The installation and use of this certificate is intended to mislead users in Secure Sockets Layer (SSL) Web transactions.
Win32/Sinowal may also steal user names and passwords for e-mail accounts. It may steal FTP and HTTP client account credentials as well, in particular for online banking Web sites. The Trojan can then upload captured account credentials to Web sites specified by the attacker. Variants of some Win32/Sinowal components may also open a backdoor on a randomly-selected TCP port.
Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.


Alerts from your security software may be the only symptom.


Alert level: High
This entry was first published on: Aug 24, 2006
This entry was updated on: Sep 22, 2014

This threat is also detected as:
No known aliases