Welcome to the Virus Encyclopedia of Panda Security.
Sinowal.WVM is designed in order to steal confidential information from the computer and the user. Additionally, it also obtains the user's login data to Facebook.
Sinowal.WVM carries out the following actions:
- It is distributed via Facebook in a message which seems to have been sent by a friend and which contains a link to see a photo:
- If users follow the link, a warning message displayed by Facebook is opened:
- If, in spite of this, users decide to go on, they will be redirected to a website imitating Facebook's which will require users to login again:
As can be seen in the address bar, the website does not belong to real Facebook.
- Once users have logged in, another website is opened displaying a message which infros users that in order to view the site properly, they need to update the version of Adobe Flash Player:
- If users click the Aceptar (Accept) button, a file called UPDATE.EXE, which belongs to Sinowal.WVM, will be downloaded.
Sinowal.WVM creates the file SDRA64.EXE, in the Windows system directory. This file is a copy of the Trojan.
Sinowal.WVM modifies the following entry from the Windows Registry:
Userinit = %sysdir%\userinit.exe,
where %sysdir% is the Windows system directory.
It changes this entry to:
Userinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe,
By modifying this entry, Sinowal.WVM ensures that it is run whenever Windows is started.
Means of transmission
Sinowal.WVM does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives like USB keys, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Sinowal.WVM is 99,840 bytes in size.