Microsoft security software detects and removes this threat.
This family of password-stealing and backdoor trojans can steal your sensitive informations, such as your user names and passwords for banking websites. 

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

When the Win32/Sinowal Trojan is installed, it may search the infected computer for a cryptographic certificate with a corresponding private key. If it finds such a certificate, the Trojan may install a certificate on the computer without user authorization by intercepting certain Windows API function calls. The installation and use of this certificate is intended to mislead users in Secure Sockets Layer (SSL) Web transactions.
Win32/Sinowal may also steal user names and passwords for e-mail accounts. It may steal FTP and HTTP client account credentials as well, in particular for online banking Web sites. The Trojan can then upload captured account credentials to Web sites specified by the attacker. Variants of some Win32/Sinowal components may also open a backdoor on a randomly-selected TCP port.
Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.


Alerts from your security software may be the only symptom.


Alert level: High
This entry was first published on: Aug 24, 2006
This entry was updated on: May 14, 2014

This threat is also detected as:
No known aliases