Microsoft security software detects and removes this threat.
This threat is a member of the Win32/Sinowal family of password-stealing and backdoor trojans. It can install a security certificate to make you think a website is secure when it isn't. 
It can also steal your personal information, such as your banking user names and passwords, and send them to a hacker. 
This trojan is installed on your PC by VirTool:WinNT/Sinowal

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Threat behavior

Trojan:DOS/Sinowal.A might try to find a cryptographic certificate on your PC and install a certificate to mislead you in Secure Sockets Layer (SSL) web transactions. The trojan can also capture user data such as banking credentials from various user accounts and send the data to websites specified by the attacker.
Some Win32/Sinowal components may also open a backdoor on a TCP port and might try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.
Trojan:DOS/Sinowal.A is a detection for a malformed Master Boot Record (MBR) generated by VirTool:WinNT/Sinowal. It loads the driver loader code of Sinowal your PC starts.

We have seen VirTool:WinNT/Sinowal overwrite the existing Master Boot Record (MBR) with Trojan:DOS/Sinowal.A.

Trojan:DOS/Sinowal.A looks for and loads Sinowal's driver loader code from hard drive sectors. Once found, it transfers execution to the loader.
Additional information
The Win32/Sinowal family description has more information.
Analysis by Scott Molenkamp


Alerts from your security software may be the only symptom.


Alert level: Severe
First detected by definition:
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Feb 08, 2011
This entry was updated on: Dec 23, 2013

This threat is also detected as:
  • StealthMBR!mbr (McAfee)
  • TROJ_MEBROOT.AI (Trend Micro)
  • Backdoor.Win32.Sinowal.kmy (Kaspersky)
  • Troj/Mbroot-A (Sophos)
  • Trojan.Mebroot (Symantec)