You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Sinowal.VZR

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Sinowal.VZR carries out the following actions:

  • It deletes the cookies and the browser history in order to make users type the web addresses which they access and enter the username and password in the websites they visit.
  • It monitors the browsing of the users and when they access the website of certain banking entities, the Trojan is activated and logs the data entered in the forms of these websites.
  • This way, it would obtain the users' login data to their banking entity.
  • It sends the information it has obtained via FTP to its creator.

Infection strategy 

Sinowal.VZR creates the following files in the Windows system directory:

  • TWEX.EXE, which is a copy of the Trojan.
  • USER.DS, in a subfolder called twain, created by itself. In this file it stores the stolen information.
  • LOCAL.DDS, in a subfolder called twain32, created by itself. It is a configuration file of the Trojan.

 

Sinowal.VZR creates the following entries in the Windows Registry:

  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID =     %computername_8characters%
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID =     %computername_8characters%
    These entries are created as an infection mark.

 

Sinowal.VZR modifies the following entry from the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe
    where %sysdir% is the Windows system directory.
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,%sysdir%\twex.exe,
    By modifying this entry, Sinowal.VZR ensures that it is run whenever Windows is started.

Means of transmission 

Sinowal.VZR is being distributed in email messages that seem to be sent by flying companies informing users that a certain sum of money has been charged to their account.

The message contains an attached file with a zip extension and called eTicket_%5randomdigits%.zip. If this file is decompressed and the file with an exe extension is run, a copy of the Trojan will be downloaded to the affected computer.

The following image belongs to an example of message in which this Trojan is being distributed:

Further Details  

Sinowal.VZR is 20,419 bytes in size.