Win32/PSW.Sinowal [Threat Name] go to Threat

Win32/PSW.Sinowal.NAG [Threat Variant Name]

Category trojan
Aliases Trojan-PSW.Win32.Sinowal.co (Kaspersky)
Short description

Win32/PSW.Sinowal.NAG is a trojan that steals passwords and other sensitive information.

Installation

When executed, the trojan copies itself into the %temp% folder using the following name:

  • clea%num%.dll

The %num% represents a random number.


The trojan registers itself as a system service using the following name:

  • ldrsvc

2 files are downloaded from the Internet.


The files are stored in one of the following folders:

  • %commonfiles%\­Microsoft Shared\­Web Folders
  • %system%\­..\­temp

The following names are used:

  • ibm%num%.dll

The %num% represents a random number.


The trojan modifies the following file:

  • %system%\­drivers\­etc\­hosts

The trojan deletes the original executable and the ldrsvc service.

Information stealing

The trojan collects the following information:

  • computer IP address
  • computer name
  • e-mail accounts data
  • FTP account information
  • passwords
  • Internet Explorer Favorites

The programs affected include the following:

  • AK-Mail
  • Crystal FTP Pro
  • Eudora
  • FAR
  • FlashFXP
  • GlobalSCAPE
  • Ipswitch
  • LeechFTP
  • Microsoft Outlook
  • Microsoft Outlook Express
  • Rhino Software
  • StarFinanz
  • The Bat
  • Thubderbird
  • TRELLIAN

The trojan interferes with communication when any of the following sites is accessed:

  • cib.ibanking-services.com
  • banking.raiffeisen.at
  • bankingportal.naspa.de
  • ykb.teleweb.com.tr
  • *vr-*ebanking.de

The collected information is stored in the following folder:

  • %system%\­..\­temp

The trojan can send the information to a remote machine.


The HTTP protocol is used.

Other information

The trojan opens a random port.


A proxy is listening there.

Please enable Javascript to ensure correct displaying of this content and refresh this page.