You have been re-routed to the PWS:Win32/Sinowal write up because PWS%3aWin32%2fSinowal has been renamed to PWS:Win32/Sinowal


PWS:Win32/Sinowal is a multi-component trojan that communicates with remote servers to send sensitive information such as information about the affected computer and other credentials.

What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
For more information on antivirus software, see
PWS:Win32/Sinowal attempts to steal sensitive and confidential information from affected users to perpetrate fraud. If you believe that your personal financial information may have been compromised, please refer to the following advisory for additional advice:

Threat behavior

PWS:Win32/Sinowal is a multi-component trojan that communicates with remote servers to send sensitive information such as information about the affected computer and other credentials.


When run, PWS:Win32/Sinowal creates the mutex names "stsvcmut" and "stsvcsmut". It drops the following files:

  • %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll - TrojanSpy:Win32/Small
  • %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll - PWS:Win32/Sinowal
  • %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe - PWS:Win32/Sinowal, loads "ibm00001.dll"

The registry is modified to run the trojan component "ibm00001.exe" at each Windows start.

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
From data: "explorer.exe"
To data: "explorer.exe <spaces> "%ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe""

In some samples, PWS:Win32/Sinowal may create a copy of itself as the following:

    %TEMP%\clean_<random characters>.dll - for example, "clean_25bc2.dll"

It then configures its dropped copy to run alongside the legitimate Windows file "svchost.exe".

It also creates an entry for its dropped copy in the system registry so that it runs as a service:

In subkey: HKLM\SYSTEM\ControlSet001\Services\ldrsvc\Parameters
Sets value: "ServiceDll"
With data: "%TEMP%\clean_25bc2.dll


Monitors web traffic

PWS:Win32/Sinowal drops an encrypted file with a random file name that contains a list of banking websites, as in the following example:


PWS:Win32/Sinowal hooks various APIs in order to intercept the web traffic made by Firefox and Internet Explorer browsers to those sites. The trojan may also try to capture credentials used by various email programs and FTP clients.

Monitors security windows

PWS:Win32/Sinowal monitors message windows that may be displayed by various security programs and automatically selects affirmation buttons (such as "OK") within the window which could result in allowing the trojan run without interference to contact and communicate with remote servers.

Communicates with remote servers

The trojan may contact various remote servers using HTTP protocol and a user-agent value of "User-Agent: Mozilla/4.0". When connected successfully, the trojan sends various details, such as the operating system version, IP address or ports where it's listening on, and the list of credentials. In the wild, this trojan was observed to connect with domains such as the following:


The destination page requested is commonly named "x25.php" within a subdirectory named "gamma".

Analysis by Andrei Florin Saygo


System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
    %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
    %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe


Alert level: High
First detected by definition:
Latest detected by definition: 1.205.646.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: May 11, 2011
This entry was updated on: May 11, 2011

This threat is also detected as:
No known aliases