Home / malwarePDF  

Trojan:DOS/Sinowal.M


First posted on 09 April 2010.
Source: SecurityHome

Aliases :

Trojan:DOS/Sinowal.M is also known as Backdoor.Win32.Sinowal.fka (Kaspersky).

Explanation :

Trojan:DOS/Sinowal.M is a component of Win32/Sinowal - a family of password-stealing and backdoor trojans. The trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions. The trojan may also capture user data such as banking credentials from various user accounts and send the data to Web sites specified by the attacker. Some Win32/Sinowal components may also open a backdoor on a TCP port. Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls. Trojan:DOS/Sinowal.M is a detection for a malformed MBR (Master Boot Record) generated by VirTool:WinNT/Sinowal. It loads the driver loader code of Sinowal when the affected computer boots.
Top

Trojan:DOS/Sinowal.M is a component of Win32/Sinowal - a family of password-stealing and backdoor trojans. The trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions. The trojan may also capture user data such as banking credentials from various user accounts and send the data to Web sites specified by the attacker. Some Win32/Sinowal components may also open a backdoor on a TCP port. Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls. Trojan:DOS/Sinowal.M is a detection for a malformed MBR (Master Boot Record) generated by VirTool:WinNT/Sinowal. It loads the driver loader code of Sinowal when the affected computer boots.

Installation
VirTool:WinNT/Sinowal may overwrite the existing MBR with Trojan:DOS/Sinowal.M.

Payload
Trojan:DOS/Sinowal.M looks for and loads Sinowal's driver loader code from hard drive sectors. Once found, it transfers execution to the loader.Additional informationPlease see the Win32/Sinowal family description elsewhere in the encyclopedia for more information.

Analysis by Scott Molenkamp

Last update 09 April 2010

 

TOP