Effects Sinowal.WHZ is designed to steal user's confidential information, such as passwords related to different web services or banking entities. Infection strategy Sinowal.WHZ creates the following files in the Windows system directory: - GRPCONV.EXE and SDRA64.EXE, which are copies of the Trojan.
- PROQUOTA.EXE
Sinowal.WHZ modifies the following entry from the Windows Registry: - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
Userinit = %sysdir%\userinit.exe,
where %sysdir% is the Windows system directory.
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
Userinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe
By modifying this entry, Sinowal.WHZ ensures that it is run whenever Windows is started.
Means of transmission Sinowal.WHZ reaches the computer attached to an email message which seems to have been sent by the UPS company. The message has the following characteristics: - Sender: United Parcel Service of America
- Subject: Postal Tracking #%random characters%
- Message:
Hello!
We were not able to deliver postal package you sent on the 14th of March in time
because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your United Parcel Service of America - Attachment: UPS_FAX_%random characters%
The attached file passes itself off as an Excel file in order to deceive users. Actually, it is copy of the Trojan.
However, Sinowal.WHZ does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc. Further Details Sinowal.WHZ is 57,856 bytes in size. |