(Trojan-PSW.Win32.Sinowal.co, W32/Backdoor.AJNU, Win32/PSW.Sinowal.Gen. TR/PSW.Sinowal.AU)
- Presence of a service named "gb" (you can check this by going to the command line and typing "net start|findstr gb"
- Presence of two files name ibm00001.dll and ibm00002.dll in the c:\\program files\\common files\\microsoft shared\\web folders folder
Please let BitDefender delete the infected files. You should also scan your system in safe mode to make sure that the files have been removed successfully.
Attila Balazs, virus researcher
This arrives as a single file (usually through browser exploits) with a size of 89088 bytes. When executed it drops two files named ibm00001.dll and ibm00002.dll with sizes 49664 and 42496 bytes in the folder c:\\program files\\common files\\microsoft shared\\web folders and registers a service named "gb" to ensure its startup after reboot. The file ibm00001.dll implements the service part and ensures the startup of the malware after reboot. ibm00002.dll is injected in every running process and does the following actions:
- Contacts the control server, which has the DNS name "vgnyarm.com" (which currently resolves to 184.108.40.206), with the backup servers "hurbia52.com" and "flickor32.com".
- Receives a list of banking sites
- Whenever such a banking site is accessed, a popup window is generated. The contents of the popup window are fetched from the control server and the caption of the window is modified to "Advanced card verification" to hide the fact that it is a browser window
- Additionally the contents of form fields whose name contain at least one of the strings "login", "user", "name", "pass" or "auth" are captured and relayed back to the server
The malware is capable of functioning both with Internet Explorer and Firefox / Mozilla.