Effects
Sinowal.FY carries out the following actions:
- Encrypts all the files with any of the following extensions: 12M, 3DS, 3DX, 4GE, 4GL, 7Z, A, A86, ABC, ACD, ACE, ACT, ADA, ADI, AEX, AF3, AFD, AG4, AI, AIF, AIFC, AIFF, AIN, AIO, AIS, AKF, ALV, AMP, ANS, AP, APA, APO, APP, ARC, ARH, ARJ, ARX, ASC, ASM, ASK, AU, BAK, BAS, BB, BCB, BCP, BDB, BH, BIB, BPR, BSA, BTR, BUP, BWB, BZ, BZ2, C, C86, CAC, CBL, CC, CDB, CDR, CGI, CMD, CNT, COB, COL, CPP, CPT, CRP, CRU, CSC, CSS, CSV, CTX, CVS, CWB, CWK, CXE, CXX, CYP, D, DB, DB0, DB1, DB2, DB3, DB4, DBA, DBB, DBC, DBD, DBE, DBF, DBK, DBM, DBO, DBQ, DBT, DBX, DFM, DJVU, DIC, DIF, DM, DMD, DOC, DOK, DOT, DOX, DSC, DWG, DXF, DXR, EPS, EXP, F, FAS, FAX, FDB, FLA, FLB, FRM, FM, FOX, FRM, FRT, FRX, FSL, GTD, GIF , .GZ, GZIP, H, HA, HH, HJT, HOG, HPP, HTM, HTML, HTX, ICE, ICF, INC, ISH, ISO, JAR, JAD, JAVA, JPG, JPEG, JS, JSP, KEY, KWM, LST, LWP, LZH, LZS, LZW, MA, MAK, MAN, MAQ, MAR, MBX, MDB, MDF, MID, MO, MYD, OBJ, OLD, P12, PAK, PAS, PDF, PEM, PFX, PHP, PHP3, PHP4, PGP, PKR, PL, PM3, PM4, PM5, PM6, PNG, PPT, PPS, PRF, PRX, PS, PSD, PST, PW, PWA, PWL, PWM, PWP, PXL, PY, RAR, RES, RLE, RMR, RND, RTF, SAFE, SAR, SKR, SLN, SWF, SQL, TAR, TBB, TEX, TGA, TGZ, TIF, TIFF, TXT, VB, VP, WPS, XCR, XLS, XML and ZIP.
These extensions include Word documents, Excel spreadsheets, Access databases, text files, JPG pictures, files compressed using WinZip, WinRAR and ARJ, etc. - The user will not be able to open those files until they are decrypted. Sinowal.FY instructs users to send a message to an email address so that they can buy the decrypter.
- It connects to the website http://marti<blocked>.net/pajero, where it stores a record of the infections it has made: computer's name, IP address and infection data and time.
Infection strategy
Sinowal.FY creates the following files:
- NTOS.EXE, in the Windows system directory. This file is a copy of the Trojan.
- ??.TMP in the Windows temporary directory.
where ?? stands for two random characters. - AUDIO.DLL and VIDEO.DLL in the subfolder WSNPOEM, created by itself, of the Windows system directory.
- READ_ME.TXT. It creates a file like this in each subfolder in which it has encripted any file. This text file contains the following message:
Hello,
your files are encrypted with RSA-4096 algorithm
(http://en.wikipedia.org/wiki/RSA).
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: trista<blocked>lam@gmail.com and provide us
your personal code -1270430. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system.
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team
Sinowal.FY modifies all the files with 12M, 3DS, 3DX, 4GE, 4GL, 7Z, A, A86, ABC, ACD, ACE, ACT, ADA, ADI, AEX, AF3, AFD, AG4, AI, AIF, AIFC, AIFF, AIN, AIO, AIS, AKF, ALV, AMP, ANS, AP, APA, APO, APP, ARC, ARH, ARJ, ARX, ASC, ASM, ASK, AU, BAK, BAS, BB, BCB, BCP, BDB, BH, BIB, BPR, BSA, BTR, BUP, BWB, BZ, BZ2, C, C86, CAC, CBL, CC, CDB, CDR, CGI, CMD, CNT, COB, COL, CPP, CPT, CRP, CRU, CSC, CSS, CSV, CTX, CVS, CWB, CWK, CXE, CXX, CYP, D, DB, DB0, DB1, DB2, DB3, DB4, DBA, DBB, DBC, DBD, DBE, DBF, DBK, DBM, DBO, DBQ, DBT, DBX, DFM, DJVU, DIC, DIF, DM, DMD, DOC, DOK, DOT, DOX, DSC, DWG, DXF, DXR, EPS, EXP, F, FAS, FAX, FDB, FLA, FLB, FRM, FM, FOX, FRM, FRT, FRX, FSL, GTD, GIF , GZ, GZIP, H, HA, HH, HJT, HOG, HPP, HTM, HTML, HTX, ICE, ICF, INC, ISH, ISO, JAR, JAD, JAVA, JPG, JPEG, JS, JSP, KEY, KWM, LST, LWP, LZH, LZS, LZW, MA, MAK, MAN, MAQ, MAR, MBX, MDB, MDF, MID, MO, MYD, OBJ, OLD, P12, PAK, PAS, PDF, PEM, PFX, PHP, PHP3, PHP4, PGP, PKR, PL, PM3, PM4, PM5, PM6, PNG, PPT, PPS, PRF, PRX, PS, PSD, PST, PW, PWA, PWL, PWM, PWP, PXL, PY, RAR, RES, RLE, RMR, RND, RTF, SAFE, SAR, SKR, SLN, SWF, SQL, TAR, TBB, TEX, TGA, TGZ, TIF, TIFF, TXT, VB, VP, WPS, XCR, XLS, XML and ZIP extension, as it encrypts them.
Sinowal.FY creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
WinCode = %encryption key%
where %encryption key% is a random value and is the reference key of the file encryption.
Sinowal.FY modifies the following entry from the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
UserInit = %sysdir%\userinit.exe
where %sysdir% is the Windows system directory.
It changes this entry to:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
UserInit = %sysdir%\userinit.exe, %sysdir%\ntos.exe
By modifying this entry, Sinowal.FY ensures that it is run whenever Windows is started.
Means of transmission
Sinowal.FY does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Further Details
Sinowal.FY is 40,448 bytes in size.