TSPY_SINOWAL.XOP
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This spyware may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
It also has rootkit capabilities, which enables it to hide its processes and files from the user.
TECHNICAL DETAILS
Arrival Details
This spyware may be downloaded by other malware/grayware/spyware from remote sites.
It may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This spyware drops the following component file(s):
- %User Profile%\cload5A.dll - main DLL component
- %User Profile%\Start Menu\Programs\Startup\scantdiskc36.dll - main DLL component
- %System%\cload5A.dll - main DLL component
- %User Profile%\Start Menu\Programs\Startup\scandisk.lnk - shortcut link file that will load the component DLL
- %User Temp%\{random characters}.tmp - main DLL component
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It drops the following copies of itself into the affected system:
- %User Temp%\install.exe
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Autostart Technique
This spyware creates the following registry entries to enable automatic execution of dropped component at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
NvCplDaemonTool = rundll32.exe %User Profile%\cload5A.dll,_IWMPEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
NvCplDaemonTool = rundll32.exe %System%\cload5A.dll,_IWMPEvents
Other System Modifications
This spyware adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1400 = 0
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
PrivacyAdvanced = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
{A8A88C49-5EB2-4990-A1A2-0876022C854F} = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
{AEBA21FA-782A-4A90-978D-B72164C80120} = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Safeboot
HKEY_LOCAL_MACHINE\System\ControlSet001\
Control\Safeboot
HKEY_LOCAL_MACHINE\System\ControlSet002\
Control\Safeboot
Rootkit Capabilities
This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.
NOTES:
It hooks the following APIs to aid its routines:
- ADVAPI32.dll!RegDeleteValueA
- ADVAPI32.dll!RegDeleteValueW
- kernel32.dll!ExitProcess
- kernel32.dll!FindNextFileA
- kernel32.dll!FindNextFileW
- kernel32.dll!TerminateProcess
- WS2_32.dll!closesocket
- WS2_32.dll!recv
- WS2_32.dll!Send
- WS2_32.dll!send
- WS2_32.dll!WSARecv
The malware has a Domain Generation Routine based on the current date. The generated domain names are the command and control servers of the malware.
- {Eight random characters}.biz
- {Eight random characters}.com
- {Eight random characters}.net
It has the capability to monitor and intercept the Internet traffic of the affected system. It can steal banking credentials and perform clickjacking
SOLUTION
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Identify and delete files detected as TSPY_SINOWAL.XOP using either the Startup Disk or Recovery Console
Step 3
Search and delete this file
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- NvCplDaemonTool = rundll32.exe %User Profile%\cload5A.dll,_IWMPEvents
- NvCplDaemonTool = rundll32.exe %User Profile%\cload5A.dll,_IWMPEvents
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- NvCplDaemonTool = rundll32.exe %System%\cload5A.dll,_IWMPEvents
- NvCplDaemonTool = rundll32.exe %System%\cload5A.dll,_IWMPEvents
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 1400 = 0
- 1400 = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 1400 = 0
- 1400 = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- PrivacyAdvanced = 1
- PrivacyAdvanced = 1
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- {A8A88C49-5EB2-4990-A1A2-0876022C854F} = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a
- {A8A88C49-5EB2-4990-A1A2-0876022C854F} = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- {AEBA21FA-782A-4A90-978D-B72164C80120} = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a
- {AEBA21FA-782A-4A90-978D-B72164C80120} = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a
Step 5
Scan your computer with your Trend Micro product to delete files detected as TSPY_SINOWAL.XOP. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
To Restore Safe Boot Registry Settings:
- Open Notepad. To do this, click Start>Run, type Notepad in the text box provided, then press Enter.
- Copy and paste the following script:
For Windows 2000:
For Windows XP:
For Windows 2003: - Save this file as C:\RESTORE.REG..
- Click Start>Run again, type C:\RESTORE.REG in the text box provided, then press Enter.
- Click Yes at the prompt of the message box to execute the .REG file.
Did this description help? Tell us how we did.