You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Sinowal.WVM

Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Sinowal.WVM is designed in order to steal confidential information from the computer and the user. Additionally, it also obtains the user's login data to Facebook.

Sinowal.WVM carries out the following actions:

  • It is distributed via Facebook in a message which seems to have been sent by a friend and which contains a link to see a photo:

    Message sent via Facebook
  • If users follow the link, a warning message displayed by Facebook is opened:

    Warning message displayed by Facebook
  • If, in spite of this, users decide to go on, they will be redirected to a website imitating Facebook's which will require users to login again:

    Website that imitates Facebook's login site

    As can be seen in the address bar, the website does not belong to real Facebook.
  • Once users have logged in, another website is opened displaying a message which infros users that in order to view the site properly, they need to update the version of Adobe Flash Player:

    Website from which Sinowal.WVM is downloaded
  • If users click the Aceptar (Accept) button, a file called UPDATE.EXE, which belongs to Sinowal.WVM, will be downloaded.

Infection strategy 

Sinowal.WVM creates the file SDRA64.EXE, in the Windows system directory. This file is a copy of the Trojan.

 

Sinowal.WVM modifies the following entry from the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,

    where %sysdir% is the Windows system directory.
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
    Userinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe,

    By modifying this entry, Sinowal.WVM ensures that it is run whenever Windows is started.

Means of transmission 

Sinowal.WVM does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives like USB keys, CD-ROMs, email messages with attached files, Internet downloads, FTPIRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Sinowal.WVM is 99,840 bytes in size.