Home / malware Trojan.Pws.Sinowal.AU
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Pws.Sinowal.AU is also known as Trojan-PSW.Win32.Sinowal.co, W32/Backdoor.AJNU, Win32/PSW.Sinowal.Gen., TR/PSW.Sinowal.AU.
Explanation :
This arrives as a single file (usually through browser exploits) with a size of 89088 bytes. When executed it drops two files named ibm00001.dll and ibm00002.dll with sizes 49664 and 42496 bytes in the folder c:\program files\common files\microsoft shared\web folders and registers a service named "gb" to ensure its startup after reboot. The file ibm00001.dll implements the service part and ensures the startup of the malware after reboot. ibm00002.dll is injected in every running process and does the following actions:
Contacts the control server, which has the DNS name "vgnyarm.com" (which currently resolves to 194.146.207.12), with the backup servers "hurbia52.com" and "flickor32.com".Receives a list of banking sitesWhenever such a banking site is accessed, a popup window is generated. The contents of the popup window are fetched from the control server and the caption of the window is modified to "Advanced card verification" to hide the fact that it is a browser windowAdditionally the contents of form fields whose name contain at least one of the strings "login", "user", "name", "pass" or "auth" are captured and relayed back to the serverThe malware is capable of functioning both with Internet Explorer and Firefox / Mozilla.Last update 21 November 2011