You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Sinowal.WUZ

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Sinowal.WUZ is related to obtain confidential information about the affected computer and user, related to online banking. The Trojans belonging to this family usually focus on banking data, like usernames, passwords, credit card numbers, etc.

Additionally, it establishes connections with the following websites and IP addresses that allow it to monitor and make connection with the affected computer:

http://nek<blocked>o.ru

109.9<blocked>4.70

74.12<blocked>7.100

67.2<blocked>46.218

Infection strategy 

Sinowal.WUZ creates the following folders in the Windows system directory:

  • LOWSEC
  • WINROCK32

Additionally, it creates the following files:

  • SDRA64.EXE, TWEXT.EXESERVICES.EXELSASS.EXESVCHOST.EXE and ALG.EXE, in the Windows system directory. These files are a copy of the Trojan.
  • SDRA64.EXELOCAL.DSUSER.DS and USER.DS.LLL, in the folder lowsec created in the Windows system directory.

 

Sinowal.WUZ creates the following entries in the Windows Registry:

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{5BB339E3-D756-294B-3141-1D213AD3A7A6}
  • HKEY_CLASSES_ROOT\idid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hxegilunutow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
    UID =     %computername%"

 

Sinowal.WUZ modifies the following entries from the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,
    where %sysdir% is the Windows system directory.
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe,
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,
    where %sysdir% is the Windows system directory.
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,%sysdir%\twext.exe,
    By modifying these entries, Sinowal.WUZ ensures that it is run whenever Windows is started
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable = 0x00000001
    It changes this entry to:
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable = 0x00000000
    It disables the proxy if it is enabled.

Means of transmission 

Sinowal.WUZ does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives, like USB keys, CD-ROMs, email messages with attached files, Internet downloads, FTPIRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Sinowal.WUZ is 177,664 bytes in size.