Our spam traps have been receiving thousands of malspam e-mails related to a new Sinowal (zbot) campaign over the past 24 hours. The e-mail attempts to trick users into creating a profile for H1N1 (Swine Flu) vaccination at the Centers for Disease Control website.

The email reads:

You have received this e-mail because of the launching of State Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.

Create your Personal H1N1 Vaccination Profile using the link:

create personal profile
Centers for Disease Control and Prevention (CDC) – 1600 Clifton Rd – Atlanta GA 30333 – 800-CDC-INFO (800-232-4636)

The (several) websites used in this malspam campaign all start with online.cdc.gov.(malicious domain) and could easily convince the most suspicious users of its validity.

The site reads:

“Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug).  All instructions you need are included in the archive below:

Your Temporary ID (valid for 48 hours) H1N1-1574377270
H1N1 Vaccination Profile – Download Archive (130Kb)”

The campaign uses 6 different subject lines for its e-mails. The most common subject lines are Governmental registration program and Creation of personal Vaccination Profile.


Infection information:

creates a copy of itself with the name SDRA64.EXE, in the Windows system directory.

Additionally, it creates the following files, where it stores the information it has obtained:

  • LOCAL.DS and USER.DS, in the folder lowsec, created by itself, in the Windows system directory.
  • 8.TMP and 9.TMP, in the folder Temp of the Windows directory. Â

Sinowal.WRN modifies the following entry from the Windows Registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    windowsl1vi = %sysdir%%random file%.exe
    where %sysdir% is the Windows system directory and %random file% is the filename with which the Trojan is copied.
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWinlogon
    Userinit = %sysdir%userinit.exe,
    where %sysdir% is the Windows system directory.
    It changes this entry to:
    Userinit = %sysdir%userinit.exe,%sysdir%sdra64.exe,
    By modifying this entry, Sinowal.WRN ensures that it is run whenever Windows is started
    Country of malware origin: Ukraine