Alert level

Trojan:DOS/Sinowal.A

(?)

Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Feb 08, 2011

Aliases
  • StealthMBR!mbr (McAfee)
  • TROJ_MEBROOT.AI (Trend Micro)
  • Backdoor.Win32.Sinowal.kmy (Kaspersky)
  • Troj/Mbroot-A (Sophos)
  • Trojan.Mebroot (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008

 

Summary

Trojan:DOS/Sinowal.A is a component of Win32/Sinowal - a family of password-stealing and backdoor trojans. The trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) web transactions. The trojan may also capture user data such as banking credentials from various user accounts and send the data to websites specified by the attacker.
 
Trojan:DOS/Sinowal.A is a detection for a malformed MBR (Master Boot Record) generated by VirTool:WinNT/Sinowal. It loads the driver loader code of Sinowal when the affected computer boots.

Top

 

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Top

 

Technical Information (Analysis)

Trojan:DOS/Sinowal.A is a component of Win32/Sinowal - a family of password-stealing and backdoor trojans. The trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) web transactions. The trojan may also capture user data such as banking credentials from various user accounts and send the data to websites specified by the attacker. Some Win32/Sinowal components may also open a backdoor on a TCP port. Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.
 
Trojan:DOS/Sinowal.A is a detection for a malformed MBR (Master Boot Record) generated by VirTool:WinNT/Sinowal. It loads the driver loader code of Sinowal when the affected computer boots.
Installation
VirTool:WinNT/Sinowal may overwrite the existing MBR with Trojan:DOS/Sinowal.A.
Payload
Trojan:DOS/Sinowal.A looks for and loads Sinowal's driver loader code from hard drive sectors. Once found, it transfers execution to the loader.
Additional information
Please see the Win32/Sinowal family description elsewhere in the encyclopedia for more information.
 
Analysis by Scott Molenkamp

Top

 

Prevention

Take these steps to help prevent infection on your computer.


Top

 

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products will detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
 
Win32/Sinowal attempts to steal sensitive and confidential information from affecters users in order to perpetrate fraud. If you believe that your personal financial information may have been compromised, please refer to the following advisory for additional advice:

Top

Provide feedback