Malware type: Trojan

Aliases: Backdoor.Win32.Sinowal.d (Kaspersky), Trojan.Mebroot (Symantec), TR/PWS.Sinowal.Gen (Avira), Mal/Sinowa-A (Sophos), PWS:Win32/Sinowal.gen!E (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: Yes

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This Trojan is downloaded unknowingly by a user when visiting a malicious Web site. It can also be dropped by other malware.

This Trojan looks for the bootable drive of the affected system. Once found, it copies the original Master Boot Record (MBR) and saves it to another location on the hard disk. It then modifies the MBR by inserting its malicious code.

It also saves some of its malicious code in other portion of the hard disk. As a result, data of the files saved in the said portion is replaced. Furtheremore, it stores an embedded executable (another component), which is detected RTKT_AGENT.CAV in a random location of the hard disk drive.

It also changes the characteristics of the dropped copy to become a dynamic link librarry (DLL) file. It then executes the drop DLL by using REGSVR32.EXE.

After sucessfully executing the DLL, it reboots Windows and then deletes the initially executed malware.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 9, 2008 9:11:01 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.