TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
TROJ_SINOWAL.CI
Overview
Solution

Malware type: Backdoor

Aliases: Backdoor.Win32.Sinowal.br (Kaspersky), Trojan.Mebroot (Symantec), BDS/Sinowal.BR (Avira), Troj/Torpig-BZ (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 Medium

Description: 

Trend Micro threat researchers post findings and analyses on various threats in real-time at the Malware Blog. Users can find more information about this specific threat here.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

TROJ_SINOWAL.CI Behavior Diagram

Malware Overview

This Trojan may be dropped by TROJ_SINOWAL.CB.

It looks for the bootable drive of the affected system. Once found, it copies the original Master Boot Record (MBR) and saves it to another location in the hard disk. It then modifies the MBR by inserting its malicious code.

It also saves some of its malicious code in another portion of the hard disk. As a result, data of the files saved in the said portion are replaced.

It creates a registry entry to enable its automatic execution at every system startup.

This Trojan also drops a rootkit component on the affected system. The said component modifies certain sectors of the infected hard disk. It then protects these sectors from read and write operations from antivirus or security software.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 2, 2008 5:22:05 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.