You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Sinowal.WRN

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Sinowal.WRN carries out the following actions:

  • It reaches the computer in an email message related with the H1N1 virus (swine flu).
  • The subject of the message can be one of the following:
    Governmental registration program on the H1N1 vaccination
    State Vaccination H1N1 Program
    Your personal Vaccination Profile
    Create your personal Vaccination Profile
    State Vaccination Program
    Creation of personal Vaccination Profile
    Instructions on creation of your personal Vaccination Profile
  • The message informs users of a false vaccination H1N1 program and requires them to create a personal vaccination profile by accessing a certain website. The message includes a link to that website.
  • The following is an example of the email message in which Sinowal.WRN is being distributed:

  • If users follow the link, they will be redirected to a website like the following, which contains a message requiring users to download a document in order to create their vaccination profile:

  • When this file is run, the computer will be infected by Sinowal.WRN, which is designed to steal confidential information from the computer and the user.
  • The information it gathers is stored in several files, which are then sent to its creator.

Infection strategy 

Sinowal.WRN creates a copy of itself with the name SDRA64.EXE, in the Windows system directory.

Additionally, it creates the following files, where it stores the information it has obtained:

  • LOCAL.DS and USER.DS, in the folder lowsec, created by itself, in the Windows system directory.
  • 8.TMP and 9.TMP, in the folder Temp of the Windows directory.  

 

Sinowal.WRN modifies the following entry from the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    windowsl1vi = %sysdir%\    %random file%.exe
    where %sysdir% is the Windows system directory and %random file% is the filename with which the Trojan is copied.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,
    where %sysdir% is the Windows system directory.
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe,
    By modifying this entry, Sinowal.WRN ensures that it is run whenever Windows is started.

Means of transmission 

Sinowal.WRN does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTPIRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Sinowal.WRN is 130,048 bytes in size.

>