Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelLow threatDamageHighDistributionNot widespread


Sinowal.WTF is designed to steal information from the computer and the user, as it logs the keystrokes typed by the user. This way, it could obtain passwords, usernames, email addresses, etc.

On the other hand, Sinowal.WTF carries out the following actions:

  • It reaches the computer in an email message that seems to have been sent by the MySpace team.
  • The following is an example of the email message in which Sinowal.WTF is being distributed:

    MySpace message used to distribute Sinowal.WTF
  • The message informs users that their password has been changed for security reasons and that they can check the new one in the attached document.
  • The attached document has the following appearance:

    Attached file in the MySpace email
  • When it is decompressed, a file is displayed which seems to be a Word document containing the password:

    Icon of the file in which Sinowal.WTF reaches the computer
  • However, if the file is run, the computer will be affected by Sinowal.WTF.

Infection strategy 

Sinowal.WTF creates the following files:

  • SDRA64.EXE, in the Windows system directory. This file is a copy of the Trojan.
  • RARYPE32.EXE, in the path C:\Documents and Settings\%username%\Start Menu\Programs\Start.
    where %username% is the username of the user that has logged in.
  • ~TM6.TMP, in the path C:\Documents and Settings\%username%\Local Settings\Temp.
  • ~TMD.TMP, in the folder Temp of the Windows directory.
  • MVHGKR.DAT, in the folder NetworkService\Application Data of the Documents and Settings directory.
  • AVDRN.DAT, in the folder Application Data of the Documents and Settings directory of the user that has logged in.


Sinowal.WTF modifies the following entry from the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,

    where %sysdir% is the Windows system directory.
    It changes this entry to:
    Userinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe,

    By modifying this entry, Sinowal.WTF ensures that it is run whenever Windows is started.

Means of transmission 

Sinowal.WTF does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives like USB keys, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Sinowal.WTF is 36,864 bytes in size.