Win32/PSW.Sinowal [Threat Name] go to Threat

Win32/PSW.Sinowal.NAG [Threat Variant Name]

Category trojan
Aliases (Kaspersky)
Short description

Win32/PSW.Sinowal.NAG is a trojan that steals passwords and other sensitive information.


When executed, the trojan copies itself into the %temp% folder using the following name:

  • clea%num%.dll

The %num% represents a random number.

The trojan registers itself as a system service using the following name:

  • ldrsvc

2 files are downloaded from the Internet.

The files are stored in one of the following folders:

  • %commonfiles%\­Microsoft Shared\­Web Folders
  • %system%\­..\­temp

The following names are used:

  • ibm%num%.dll

The %num% represents a random number.

The trojan modifies the following file:

  • %system%\­drivers\­etc\­hosts

The trojan deletes the original executable and the ldrsvc service.

Information stealing

The trojan collects the following information:

  • computer IP address
  • computer name
  • e-mail accounts data
  • FTP account information
  • passwords
  • Internet Explorer Favorites

The programs affected include the following:

  • AK-Mail
  • Crystal FTP Pro
  • Eudora
  • FAR
  • FlashFXP
  • GlobalSCAPE
  • Ipswitch
  • LeechFTP
  • Microsoft Outlook
  • Microsoft Outlook Express
  • Rhino Software
  • StarFinanz
  • The Bat
  • Thubderbird

The trojan interferes with communication when any of the following sites is accessed:

  • *vr-*

The collected information is stored in the following folder:

  • %system%\­..\­temp

The trojan can send the information to a remote machine.

The HTTP protocol is used.

Other information

The trojan opens a random port.

A proxy is listening there.

Please enable Javascript to ensure correct displaying of this content and refresh this page.