Sinowal.WTF is designed to steal information from the computer and the user, as it logs the keystrokes typed by the user. This way, it could obtain passwords, usernames, email addresses, etc.
On the other hand, Sinowal.WTF carries out the following actions:
- It reaches the computer in an email message that seems to have been sent by the MySpace team.
- The following is an example of the email message in which Sinowal.WTF is being distributed:
- The message informs users that their password has been changed for security reasons and that they can check the new one in the attached document.
- The attached document has the following appearance:
- When it is decompressed, a file is displayed which seems to be a Word document containing the password:
- However, if the file is run, the computer will be affected by Sinowal.WTF.
Sinowal.WTF creates the following files:
- SDRA64.EXE, in the Windows system directory. This file is a copy of the Trojan.
- RARYPE32.EXE, in the path C:\Documents and Settings\%username%\Start Menu\Programs\Start.
where %username% is the username of the user that has logged in.
- ~TM6.TMP, in the path C:\Documents and Settings\%username%\Local Settings\Temp.
- ~TMD.TMP, in the folder Temp of the Windows directory.
- MVHGKR.DAT, in the folder NetworkService\Application Data of the Documents and Settings directory.
- AVDRN.DAT, in the folder Application Data of the Documents and Settings directory of the user that has logged in.
Sinowal.WTF modifies the following entry from the Windows Registry:
Userinit = %sysdir%\userinit.exe,
where %sysdir% is the Windows system directory.
It changes this entry to:
Userinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe,
By modifying this entry, Sinowal.WTF ensures that it is run whenever Windows is started.
Means of transmission
Sinowal.WTF does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives like USB keys, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Sinowal.WTF is 36,864 bytes in size.