Solved

How to detect the Sinowal trojan?

Posted on 2008-11-02
12
2,179 Views
Last Modified: 2013-12-09
A couple of clients have expressed concern over the Sinowal trojan as this has been in the news recently for comprising over 500k bank and credit card accounts in the US, UK, Australia and Poland.

Should McAfee detect this and remove it fully? If not, will Mbam or Combofix remove it or will HiJackThis detect it and if so, what are the signs?

Thanks,

Mike
0
Comment
Question by:mikeabc27
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 4

Assisted Solution

by:Kaddict
Kaddict earned 150 total points
ID: 22861809
My first search was about my own antivirus (Kaspersky Internet Security), and I'm happy to see that it detects and even CLEANS the Sinowal infection. A kaspersky internet security free 30-day trial will detect and clean it too. http://www.kaspersky.com/viruswatchlite?search_virus=sinowal&x=0&y=0&hour_offset=-2

About McAfee I don't know if it detects it, but will search more for you

hope it helps,

-kaddict
0
 
LVL 15

Expert Comment

by:hewittg
ID: 22861810
here is info concerning your question.

http://www.f-secure.com/v-descs/trojan-psw_w32_sinowal_cp.shtml


Glenn
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 350 total points
ID: 22863840
With PSW trojans etc, you won't really know just how much the pc have been compromised, if it was my pc I would just reformat and start again and change all passwords that have been used in the infected pc(using another clean pc if possible) and of course check with your bank.
 It's a good idea to run MBAM and combofix as these are good scanners and with combofix script function can also remove bad entries that aren't removed in the first run(with a Helper's guide). SDFix is also another good tool.

Hijackthis scan might detect the bad entries or it's possible that it will not, Hijackthis only scans locations in the registry where malware are known to hide, but it's a good starting point for cleanup. When fixing entries in Hijackthis only disables startup entries from loading it doesn't delete files or directories except the 02 lines.
Here's another link:
http://www.threatexpert.com/report.aspx?uid=969f6ce1-aead-4e8a-a206-2ff28311ef7d
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:mikeabc27
ID: 22865310

"With PSW trojans etc, you won't really know just how much the pc have been compromised, if it was my pc I would just reformat and start again and change all passwords that have been used in the infected pc(using another clean pc if possible) and of course check with your bank."
Would Combofix, SFix and MBAM identify Sinowal by name, so I can justify a reformat.
Thanks for the ThreatExpert link - does Sinowal always make the same changes to the Registry and, if so, would it be sufficient to check these on a suspicious computer?
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22866639
mikeabc27: Kaspersky 30-day free trial with identify by name.

www.kaspersky.com

Hope it helps,

-kaddict
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22866641
sorry, with = will identify by name.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22866918
>>>Would Combofix, SFix and MBAM identify Sinowal by name<<<
Combofix detects and removes the service/driver and legacy keys and files but won't identify it by name 'sinowal'

Combofix deleted service and legacy
-------\Legacy_{BEE686B9-4C84-4487-9D72-9F40F051E973}
-------\Service_{BEE686B9-4C84-4487-9D72-9F40F051E973}

Hijackthis entry:
O23 - Service: {bee686b9-4c84-4487-9d72-9f40f051e973} - Unknown owner - C:\WINDOWS\System32\svchost.exe


This one has more registry keys and values.
http://www.threatexpert.com/report.aspx?uid=edf8549a-94e2-4493-a31d-6bd1205d1f5b
0
 

Author Comment

by:mikeabc27
ID: 22868582
Kaspersky 30-day free trial will identify by name."
Thanks Kaddict - I do find Kaspersky really slow on an infected PC - evaluation version anyway.

"Combofix detects and removes the service/driver and legacy keys and files but won't identify it by name 'sinowal'

Combofix deleted service and legacy
-------\Legacy_{BEE686B9-4C84-4487-9D72-9F40F051E973}
-------\Service_{BEE686B9-4C84-4487-9D72-9F40F051E973}

Hijackthis entry:
O23 - Service: {bee686b9-4c84-4487-9d72-9f40f051e973} - Unknown owner - C:\WINDOWS\System32\svchost.exe "

Thanks for pointing me in the right direction. Once the keys have been removed would you still recommend a reformat? Obviously, all passwords would changed on a clean machine.


0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22872292
Hi back,

 It would be "the safest way" to format,
And it should be ok without formatting but there's always a risk with such powerful trojans.

If you reboot and scan again with the tools that found / repaired and find nothing it'll soothe your mind but always remember that there's a risk.

About Kaspersky being slow, of course a powerful solution uses some more power then none or something "less powerful" but on my computer (dual core, 4gb ram, vista) I can game without noticeable lag. Maybe its just because the computer ain't very powerful, and maybe because you start with some infection that causes slowdowns too.

happy to hear it helped!

-kaddict
0
 

Author Closing Comment

by:mikeabc27
ID: 31512490
Thanks
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22876329
>>>Once the keys have been removed would you still recommend a reformat? <<<
Once the pc is clean, and passwords changed it should be alright. Suggestion of reformatting is just a pre-caution as it's a helper's responsibility to inform the user on pcs infected with PWS trojans.
Thanks!
0
 

Expert Comment

by:YNSIT
ID: 35511650

We have identified it with this program: GMER (www.gmer.net)
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question