Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelLow threatDamageHighDistributionNot widespread


Sinowal.WUR carries out the following actions:

  • It reaches the computer in an email message that seems to have been sent by the Facebook team. 
  • The subject of the message can be one of the following, among others:
    Facebook Account Update
    Facebook Update Tool
  • The message informs users that a new login system is going to be introduced nd they are required to update their account. This message contains several links that point to the download of the Trojan.
  • The following is an example of the email message in which Sinowal.WUR is being distributed:

    Facebook message used to distribute Sinowal.WUR
  • If users follow any of the links, a compressed file with a ZIP extension and a random name will be downloaded, like the following:

    File containing Sinowal.WUR
  • When this file is run, the computer will be infected by Sinowal.WUR, which is designed to steal confidential information from the computer. Concretely, information about the executable files installed in the computer, like name of the program, size, data of installation and modification, etc.
  • The information it gathers is stored in several files, which are then sent to its creator.

Infection strategy 

Sinowal.WUR creates the following files:

  • SDRA64.EXE, in the Windows system directory. This file is a copy of the Trojan.
  • SDSKWA.DLL, in the Windows directory.
  • BF9C_APPCOMPAT.TXT, in the path C:\Documents and Settings\%username%\Local Settings\Temp. In this file the information it has obtained is stored.
    where %username% is the username of the user that has logged in.
  • 1.TMP and 2.TMP, in the folder Temp of the Windows directory.

Additionally, it creates a folder called lowsec in the Windows system directory.


Sinowal.WUR creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
    %path where the Trojan has been run% = 0bxoascoyzzau
  • HKEY_USERS\DEFAULT\Software\Microsoft\Protected Storage System Provider
  • HKEY_USERS\DEFAULT\Software\Microsoft\Protected Storage System Provider\S-1-5-18
  • HKEY_USERS\ S-1-5-18\Software\Microsoft\Protected Storage System Provider
  • HKEY_USERS\ S-1-5-18\Software\Microsoft\Protected Storage System Provider\S-1-5-18
  • HKEY_USERS\ S-1-5-19\Software\Microsoft\Protected Storage System Provider
  • HKEY_USERS\ S-1-5-19\Software\Microsoft\Protected Storage System Provider\S-1-5-19


Sinowal.WUR modifies the following entry from the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,

    where %sysdir% is the Windows system directory.
    It changes this entry to:
    Userinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe,

    By modifying this entry, Sinowal.WUR ensures that it is run whenever Windows is started.

Means of transmission 

Sinowal.WUR does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives like USB keys, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Sinowal.WUR is 132,096 bytes in size.