Home / malware Trojan.PWS.Sinowal.AK
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.PWS.Sinowal.AK.
Explanation :
The trojan drops 3 files in %SystemDir%\..\temp or in %CommonFilesDir%\Microsoft Shared\Web Folders, named IBM<X>.exe, IBM<X>.dll and IBM<X+1>.dll (Eg. IBM00001.exe, IBM00001.dll, IBM00002.dll).
It then tries to execute the dropped executable; in case of error it schedules itself to run at next system startup:
- on Windows NT it modifies the registry key:
HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=<oldShell> <drop>
- on Windows 9x it writes to system.ini:
[boot]
shell=<oldShell> <drop>
The executable injects the first DLL in the address space of Explorer.exe, which in turn injects the second DLL in the address space of all other processes by the use of a do-nothing system-wide hook.
The trojan harvests:
- SMTP/POP3/IMAP logins from HKCU\Software\Microsoft\Internet Account Manager\Accounts, Windows Address Book, Thunderbird, TheBat, AK-Mail,
- FAR Manager and Total Commander cached FTP passwords (from HKCU\Software\Far\Plugins\FTP\Hosts and wcx_ftp.ini),
- FlashFXP logins (from sites.dat and quick.dat),
- bookmarks from
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Favorites
It sends the gathered info as attachments (under the name data.str) using HTTP POST to one of these sites (using the WinInet Library):
rafer71.com
sacromento.net
sudorki17.com
flaminko27.com
It deletes all files from %UserProfile%\Cookies\.
It also acts as a TCP proxy.
It bypasses ZoneAlarm, Outpost and the Windows Firewall by faking user input that allows the trojans network connections.
It spies on the IE, Mozilla and Firefox browser activity and steals internet banking information from:
ykb.teleweb.com.tr
bankingportal.naspa.de
banking.raiffeisen.at
*vr-*ebanking.de (anything that matches)
cib.ibanking-services.comLast update 21 November 2011