Solved

How to detect the Sinowal trojan?

Posted on 2008-11-02
12
2,174 Views
Last Modified: 2013-12-09
A couple of clients have expressed concern over the Sinowal trojan as this has been in the news recently for comprising over 500k bank and credit card accounts in the US, UK, Australia and Poland.

Should McAfee detect this and remove it fully? If not, will Mbam or Combofix remove it or will HiJackThis detect it and if so, what are the signs?

Thanks,

Mike
0
Comment
Question by:mikeabc27
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 4

Assisted Solution

by:Kaddict
Kaddict earned 150 total points
ID: 22861809
My first search was about my own antivirus (Kaspersky Internet Security), and I'm happy to see that it detects and even CLEANS the Sinowal infection. A kaspersky internet security free 30-day trial will detect and clean it too. http://www.kaspersky.com/viruswatchlite?search_virus=sinowal&x=0&y=0&hour_offset=-2

About McAfee I don't know if it detects it, but will search more for you

hope it helps,

-kaddict
0
 
LVL 15

Expert Comment

by:hewittg
ID: 22861810
here is info concerning your question.

http://www.f-secure.com/v-descs/trojan-psw_w32_sinowal_cp.shtml


Glenn
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 350 total points
ID: 22863840
With PSW trojans etc, you won't really know just how much the pc have been compromised, if it was my pc I would just reformat and start again and change all passwords that have been used in the infected pc(using another clean pc if possible) and of course check with your bank.
 It's a good idea to run MBAM and combofix as these are good scanners and with combofix script function can also remove bad entries that aren't removed in the first run(with a Helper's guide). SDFix is also another good tool.

Hijackthis scan might detect the bad entries or it's possible that it will not, Hijackthis only scans locations in the registry where malware are known to hide, but it's a good starting point for cleanup. When fixing entries in Hijackthis only disables startup entries from loading it doesn't delete files or directories except the 02 lines.
Here's another link:
http://www.threatexpert.com/report.aspx?uid=969f6ce1-aead-4e8a-a206-2ff28311ef7d
0
 

Author Comment

by:mikeabc27
ID: 22865310

"With PSW trojans etc, you won't really know just how much the pc have been compromised, if it was my pc I would just reformat and start again and change all passwords that have been used in the infected pc(using another clean pc if possible) and of course check with your bank."
Would Combofix, SFix and MBAM identify Sinowal by name, so I can justify a reformat.
Thanks for the ThreatExpert link - does Sinowal always make the same changes to the Registry and, if so, would it be sufficient to check these on a suspicious computer?
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22866639
mikeabc27: Kaspersky 30-day free trial with identify by name.

www.kaspersky.com

Hope it helps,

-kaddict
0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22866641
sorry, with = will identify by name.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22866918
>>>Would Combofix, SFix and MBAM identify Sinowal by name<<<
Combofix detects and removes the service/driver and legacy keys and files but won't identify it by name 'sinowal'

Combofix deleted service and legacy
-------\Legacy_{BEE686B9-4C84-4487-9D72-9F40F051E973}
-------\Service_{BEE686B9-4C84-4487-9D72-9F40F051E973}

Hijackthis entry:
O23 - Service: {bee686b9-4c84-4487-9d72-9f40f051e973} - Unknown owner - C:\WINDOWS\System32\svchost.exe


This one has more registry keys and values.
http://www.threatexpert.com/report.aspx?uid=edf8549a-94e2-4493-a31d-6bd1205d1f5b
0
 

Author Comment

by:mikeabc27
ID: 22868582
Kaspersky 30-day free trial will identify by name."
Thanks Kaddict - I do find Kaspersky really slow on an infected PC - evaluation version anyway.

"Combofix detects and removes the service/driver and legacy keys and files but won't identify it by name 'sinowal'

Combofix deleted service and legacy
-------\Legacy_{BEE686B9-4C84-4487-9D72-9F40F051E973}
-------\Service_{BEE686B9-4C84-4487-9D72-9F40F051E973}

Hijackthis entry:
O23 - Service: {bee686b9-4c84-4487-9d72-9f40f051e973} - Unknown owner - C:\WINDOWS\System32\svchost.exe "

Thanks for pointing me in the right direction. Once the keys have been removed would you still recommend a reformat? Obviously, all passwords would changed on a clean machine.


0
 
LVL 4

Expert Comment

by:Kaddict
ID: 22872292
Hi back,

 It would be "the safest way" to format,
And it should be ok without formatting but there's always a risk with such powerful trojans.

If you reboot and scan again with the tools that found / repaired and find nothing it'll soothe your mind but always remember that there's a risk.

About Kaspersky being slow, of course a powerful solution uses some more power then none or something "less powerful" but on my computer (dual core, 4gb ram, vista) I can game without noticeable lag. Maybe its just because the computer ain't very powerful, and maybe because you start with some infection that causes slowdowns too.

happy to hear it helped!

-kaddict
0
 

Author Closing Comment

by:mikeabc27
ID: 31512490
Thanks
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22876329
>>>Once the keys have been removed would you still recommend a reformat? <<<
Once the pc is clean, and passwords changed it should be alright. Suggestion of reformatting is just a pre-caution as it's a helper's responsibility to inform the user on pcs infected with PWS trojans.
Thanks!
0
 

Expert Comment

by:YNSIT
ID: 35511650

We have identified it with this program: GMER (www.gmer.net)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now