Home / malwarePDF  

PWS:Win64/Sinowal.gen!B


First posted on 07 September 2012.
Source: Microsoft

Aliases :

PWS:Win64/Sinowal.gen!B is also known as TR/PSW.Sinowal.MC (Avira).

Explanation :



PWS:Win64/Sinowal.gen!B is a component of the Win32/Sinowal family.

Win32/Sinowal is a family of password-stealing and backdoor trojans. These trojans may to steal sensitive information by disrupting SEcure Socket Layer (SSL) transactions (those that use certificates) from your computer. Some Sinowal components may also be able to hide or disguise themselves to avoid detection, and perform operations pretending to be trusted processes, such as "explorer.exe", to bypass your computer's security defences.



Installation

When run, PWS:Win64/Sinowal.gen!B drops a payload component as a DLL file in the "%Systemdrive%\ProgramData\Windows\" folder. The DLLcomponent may have any of the following file names:

  • lmbd.dll
  • mmdd.dll
  • mscc.dll
  • msdd.dll
  • msdr.dll
  • msee.dll
  • msseedir.dll
  • mswd.dll
  • wsse.dll


This file is detected as PWS:Win64/Sinowal.gen!A

PWS:Win64/Sinowal.gen!B also create a DAT file in the same folder, which contains data used by its DLL component. The DAT file may have any of the following file names:

  • bass.dat
  • ccdxmmde.dat
  • colu.dat
  • dfdd.dat
  • drss.dat
  • dsdd.dat
  • du44.dat
  • dumd.dat
  • elct.dat
  • ffxd.dat
  • i3u4.dat
  • ii33.dat
  • jdlr.dat
  • kdkd.dat
  • msxx.dat
  • ned9.dat
  • nudr.dat
  • qnud.dat
  • rexx.dat
  • rrxx.dat
  • ssde.dat
  • uloc.dat
  • vvve.dat
  • werr.dat
  • wjdj.dat
  • xdor.dat
  • xes2.dat
  • xessmsxe.dat


It registers its DLL component as a Copy Hook Handler by creating the following registry subkeys:

  • HKCR\CLSID\<GUID>\InprocServer32
  • HKCU\Software\Classes\CLSID\<GUID>\InprocServer32


where <GUID> can be any one of the following:

  • {118BEDCC-A901-4203-B4F2-ADCB957D1887}
  • {312BED3C-A901-4203-B4F2-ADCB957D1887}
  • {F12BE2CC-A901-4203-B4F2-ADCB957D1887}
  • {312BFDCE-A901-4203-B4F2-ADCB957D1887}
  • {212B3DCC-A901-4203-B4F2-ADCB957D1887}
  • {A12BEDCC-A901-4203-B4F2-ADCB957D1887}


It also creates the subkey:

  • HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers\<copy hook name>


where <copy hook name> can be any one of the following:

  • Copier
  • CopierMircosoft
  • MicrosoftCopy
  • MSCopy
  • MSCPY
  • WindowsCopy


It may create an event with any of the following names:

  • bass1883hr
  • bass9883hd
  • d2dd9883hr
  • dfdd9883hd
  • dfed988ehr
  • dsdd9883hd
  • du3d9813hr
  • dumd9883hd
  • ffxd3883hr
  • ffxd9883hd
  • mrxx9883hr
  • msxe9883hd
  • msxea883ar
  • msxx9883hd
  • rexx9883hd
  • rexx9883hr
  • ssde9483hr
  • ssde9883hd
  • xess9883hd
  • xess9883hr


Payload

Steals sensitive data or provides stealth functionality

Files detected as PWS:Win64/Sinowal.gen!B may have different functions. In the wild, they have been observed to steal sensitive data, or provide stealth functionality, allowing them and other Sinowal components to avoid detection. In the process of providing stealth, it also provides backdoor functionality that allows a remote attacker to access and control your computer.

Contacts remote servers

PWS:Win64/Sinowal.gen!B may contact remote servers, such as the following:

  • 206.225.82.45
  • 5.10.65.138
  • 65.23.129.102
  • 66.199.234.170
  • 69.65.43.70
  • boababsshake.pro
  • gipolaretsr.info
  • jiqtreabopas.com
  • kiplonafrey.info
  • lospaherata.com
  • objectionableboosting.info
  • voloferad.info




Analysis by Marian Radu

Last update 07 September 2012

 

TOP