PWS:Win32/Sinowal is a multi-component trojan that communicates with remote servers to send sensitive information such as information about the affected computer and other credentials.
Installation
When run, PWS:Win32/Sinowal creates the mutex names "stsvcmut" and "stsvcsmut". It drops the following files:
-
%ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll - TrojanSpy:Win32/Small
-
%ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll - PWS:Win32/Sinowal
-
%ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe - PWS:Win32/Sinowal, loads "ibm00001.dll"
The registry is modified to run the trojan component "ibm00001.exe" at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
From data: "explorer.exe"
To data: "explorer.exe <spaces> "%ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.exe""
In some samples, PWS:Win32/Sinowal may create a copy of itself as the following:
%TEMP%\clean_<random characters>.dll - for example, "clean_25bc2.dll"
It then configures its dropped copy to run alongside the legitimate Windows file "svchost.exe".
It also creates an entry for its dropped copy in the system registry so that it runs as a service:
In subkey: HKLM\SYSTEM\ControlSet001\Services\ldrsvc\Parameters
Sets value: "ServiceDll"
With data: "%TEMP%\clean_25bc2.dll
Payload
Monitors web traffic
PWS:Win32/Sinowal drops an encrypted file with a random file name that contains a list of banking websites, as in the following example:
%windir%\temp\$_2341234.tmp
PWS:Win32/Sinowal hooks various APIs in order to intercept the web traffic made by Firefox and Internet Explorer browsers to those sites. The trojan may also try to capture credentials used by various email programs and FTP clients.
Monitors security windows
PWS:Win32/Sinowal monitors message windows that may be displayed by various security programs and automatically selects affirmation buttons (such as "OK") within the window which could result in allowing the trojan run without interference to contact and communicate with remote servers.
Communicates with remote servers
The trojan may contact various remote servers using HTTP protocol and a user-agent value of "User-Agent: Mozilla/4.0". When connected successfully, the trojan sends various details, such as the operating system version, IP address or ports where it's listening on, and the list of credentials. In the wild, this trojan was observed to connect with domains such as the following:
-
myadib7.com
-
vermyt7.com
-
katrin7.com
-
777level.com
The destination page requested is commonly named "x25.php" within a subdirectory named "gamma".
Analysis by Andrei Florin Saygo