Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelHigh threatDamageSevereDistributionNot widespread


Sinowal.CR carries out the following actions:

  • It harvests information from the computer, such as passwords and other data stored by:
    - Protected Storage.
    - FTP servers configured in the program FlashFXP.
    - The email clients Ak-Mail, Eudora and The Bat.
    - Internet Explorer and Firefox bookmarks.
  • In order to obtain more usernames and passwords, it deletes the cookies of the users, making them enter again their username and password in order to access certain websites.
    These cookies may contain data from different web mail services, among others. This way, when the users enter their data again, Sinowal.CR can obtain them, as it monitors the data streams of the Internet connections.
  • It obtains information about the computer such as the IP address, the name of the system, geographic area, opened ports, etc.
  • It publishes the gathered information in certain servers.
  • It downloads an update of itself.

Infection strategy 

Sinowal.CR creates the following files:

  • IBM?????.EXE in the subfolder COMMON FILES\MICROSOFT SHARED\WEB FOLDERS of the Program Files directory. This file is a copy of the Trojan.
    where ????? stands for five random numbers.
  • IBM?????.DLL and IBM?????.DLL in the subfolder COMMON FILES\MICROSOFT SHARED\WEB FOLDERS of the Program Files directory.
    where ????? stands for five random numbers.
  • Several temporary files, named $_???????.TMP in the subfolder TEMP of the Windows directory.
    where ???????? stands for seven random numbers.


Sinowal.CR creates the following entry in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    shell = C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\ibm
    where ????? stands for five random numbers.
    By creating this entry, Sinowal.CR ensures that it is run whenever Windows is started.

Means of transmission 

Sinowal.CR does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Sinowal.CR is written in the programming language Visual C++ v.6. This Trojan is 73,728 bytes in size.