When the Win32/Sinowal Trojan is installed, it may search the infected computer for a cryptographic certificate with a corresponding private key. If it finds such a certificate, the Trojan may install a certificate on the computer without user authorization by intercepting certain Windows API function calls. The installation and use of this certificate is intended to mislead users in Secure Sockets Layer (SSL) Web transactions.
Win32/Sinowal may also steal user names and passwords for e-mail accounts. It may steal FTP and HTTP client account credentials as well, in particular for online banking Web sites. The Trojan can then upload captured account credentials to Web sites specified by the attacker. Variants of some Win32/Sinowal components may also open a backdoor on a randomly-selected TCP port.
Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.