• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2198
  • Last Modified:

How to detect the Sinowal trojan?

A couple of clients have expressed concern over the Sinowal trojan as this has been in the news recently for comprising over 500k bank and credit card accounts in the US, UK, Australia and Poland.

Should McAfee detect this and remove it fully? If not, will Mbam or Combofix remove it or will HiJackThis detect it and if so, what are the signs?

Thanks,

Mike
0
mikeabc27
Asked:
mikeabc27
  • 4
  • 3
  • 3
  • +2
2 Solutions
 
KaddictCommented:
My first search was about my own antivirus (Kaspersky Internet Security), and I'm happy to see that it detects and even CLEANS the Sinowal infection. A kaspersky internet security free 30-day trial will detect and clean it too. http://www.kaspersky.com/viruswatchlite?search_virus=sinowal&x=0&y=0&hour_offset=-2

About McAfee I don't know if it detects it, but will search more for you

hope it helps,

-kaddict
0
 
hewittgCommented:
here is info concerning your question.

http://www.f-secure.com/v-descs/trojan-psw_w32_sinowal_cp.shtml


Glenn
0
 
rpggamergirlCommented:
With PSW trojans etc, you won't really know just how much the pc have been compromised, if it was my pc I would just reformat and start again and change all passwords that have been used in the infected pc(using another clean pc if possible) and of course check with your bank.
 It's a good idea to run MBAM and combofix as these are good scanners and with combofix script function can also remove bad entries that aren't removed in the first run(with a Helper's guide). SDFix is also another good tool.

Hijackthis scan might detect the bad entries or it's possible that it will not, Hijackthis only scans locations in the registry where malware are known to hide, but it's a good starting point for cleanup. When fixing entries in Hijackthis only disables startup entries from loading it doesn't delete files or directories except the 02 lines.
Here's another link:
http://www.threatexpert.com/report.aspx?uid=969f6ce1-aead-4e8a-a206-2ff28311ef7d
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mikeabc27Author Commented:

"With PSW trojans etc, you won't really know just how much the pc have been compromised, if it was my pc I would just reformat and start again and change all passwords that have been used in the infected pc(using another clean pc if possible) and of course check with your bank."
Would Combofix, SFix and MBAM identify Sinowal by name, so I can justify a reformat.
Thanks for the ThreatExpert link - does Sinowal always make the same changes to the Registry and, if so, would it be sufficient to check these on a suspicious computer?
0
 
KaddictCommented:
mikeabc27: Kaspersky 30-day free trial with identify by name.

www.kaspersky.com

Hope it helps,

-kaddict
0
 
KaddictCommented:
sorry, with = will identify by name.
0
 
rpggamergirlCommented:
>>>Would Combofix, SFix and MBAM identify Sinowal by name<<<
Combofix detects and removes the service/driver and legacy keys and files but won't identify it by name 'sinowal'

Combofix deleted service and legacy
-------\Legacy_{BEE686B9-4C84-4487-9D72-9F40F051E973}
-------\Service_{BEE686B9-4C84-4487-9D72-9F40F051E973}

Hijackthis entry:
O23 - Service: {bee686b9-4c84-4487-9d72-9f40f051e973} - Unknown owner - C:\WINDOWS\System32\svchost.exe


This one has more registry keys and values.
http://www.threatexpert.com/report.aspx?uid=edf8549a-94e2-4493-a31d-6bd1205d1f5b
0
 
mikeabc27Author Commented:
Kaspersky 30-day free trial will identify by name."
Thanks Kaddict - I do find Kaspersky really slow on an infected PC - evaluation version anyway.

"Combofix detects and removes the service/driver and legacy keys and files but won't identify it by name 'sinowal'

Combofix deleted service and legacy
-------\Legacy_{BEE686B9-4C84-4487-9D72-9F40F051E973}
-------\Service_{BEE686B9-4C84-4487-9D72-9F40F051E973}

Hijackthis entry:
O23 - Service: {bee686b9-4c84-4487-9d72-9f40f051e973} - Unknown owner - C:\WINDOWS\System32\svchost.exe "

Thanks for pointing me in the right direction. Once the keys have been removed would you still recommend a reformat? Obviously, all passwords would changed on a clean machine.


0
 
KaddictCommented:
Hi back,

 It would be "the safest way" to format,
And it should be ok without formatting but there's always a risk with such powerful trojans.

If you reboot and scan again with the tools that found / repaired and find nothing it'll soothe your mind but always remember that there's a risk.

About Kaspersky being slow, of course a powerful solution uses some more power then none or something "less powerful" but on my computer (dual core, 4gb ram, vista) I can game without noticeable lag. Maybe its just because the computer ain't very powerful, and maybe because you start with some infection that causes slowdowns too.

happy to hear it helped!

-kaddict
0
 
mikeabc27Author Commented:
Thanks
0
 
rpggamergirlCommented:
>>>Once the keys have been removed would you still recommend a reformat? <<<
Once the pc is clean, and passwords changed it should be alright. Suggestion of reformatting is just a pre-caution as it's a helper's responsibility to inform the user on pcs infected with PWS trojans.
Thanks!
0
 
YNSITCommented:

We have identified it with this program: GMER (www.gmer.net)
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now