Earlier tonight we released an urgent update for Trojan-PSW.Win32.Sinowal.u.
Sinowal is a family of password stealing Trojans which steals usernames/passwords entered via forms in an internet browser. It particularly targets certain banking domains and also has the ability to steal other locally stored passwords.
Sinowal has a special trick: when an infected user visits certain banking domains Sinowal inserts some of its own HTML code into the page. This is done to create a customized pop up which asks the user for personal info.
Sinowal variants are normally downloaded by Trojan-Downloaders which are installed by visiting certain websites which exploit security vulnerabilities in the browser or operating system.
Today the authors decided to try something different by spamming .de email addresses with an email that pretends to be from Microsoft Windows Update.
The email looks like this:
From: MS Windows Update [msrobot_donotreply|trickthespider|windowsupdate.com] Subject: Achtung! Wichtige Nachrichten von Microsoft Windows Update!
Achtung! Wichtige Nachrichten von Microsoft Windows Update!
Sehr geehrte Benutzer Microsoft Windows XP!
Gestern haben unbekannte Hacker den neuen Wurm-Virus eingesetzt. Nachdem er ins system reingreift, wird er von sich selbst nach Ihrer mailadressenliste ausgesendet, und alle Ihren Kontakte werden angesteckt. Nach der Ansteckung fängt das System instabil zu arbeiten, und der Komputer “hängt” genau nach einer Minute nach dem nächsten Hochfahren.
Um die Benutzer des Systems Microsoft Windows XP zu schützen, haben unsere
Sicherheitsspezialisten eine Erneuerung fur das System entwickelt.
Sie sollen die an den E-Mail angehängte Datei offnen damit das System erneut
wird und vollständig von neuem Wurm geschützt wird.
Mit freundlichen Grüßen,
Windows Update
Rough translation to English:
“Warning! Important notifications from Microsoft Windows Update!
Dear user of Microsoft Windows XP!
Yesterday unknown hackers have distributed a new worm-virus. When your system has been infected it will spread to people in your adress book and all your contacts will be infected. When infected the system will become unstable and will hang exactly one minute after boot.
To protect the people using Microsoft Windows XP our security specialists have developed an update.
You should run the attached file to protect yourself from the new worm.”
As you hopefully know Microsoft never sends executables along with their emails. So social engineering attempts like these can be spotted easily, at least in theory.
And don’t forget, if you got infected with Sinowal, even if you have cleaned your system you still have to change your passwords.
Trojan-PSW spammed in Germany