Trojan-PSW spammed in Germany

Earlier tonight we released an urgent update for Trojan-PSW.Win32.Sinowal.u.

Sinowal is a family of password stealing Trojans which steals usernames/passwords entered via forms in an internet browser. It particularly targets certain banking domains and also has the ability to steal other locally stored passwords.

Sinowal has a special trick: when an infected user visits certain banking domains Sinowal inserts some of its own HTML code into the page. This is done to create a customized pop up which asks the user for personal info.

Sinowal variants are normally downloaded by Trojan-Downloaders which are installed by visiting certain websites which exploit security vulnerabilities in the browser or operating system.

Today the authors decided to try something different by spamming .de email addresses with an email that pretends to be from Microsoft Windows Update.

The email looks like this:

From: MS Windows Update [msrobot_donotreply|trickthespider|windowsupdate.com] Subject: Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Windows Update

Rough translation to English:

“Warning! Important notifications from Microsoft Windows Update!

Dear user of Microsoft Windows XP!

Yesterday unknown hackers have distributed a new worm-virus. When your system has been infected it will spread to people in your adress book and all your contacts will be infected. When infected the system will become unstable and will hang exactly one minute after boot.

To protect the people using Microsoft Windows XP our security specialists have developed an update.

You should run the attached file to protect yourself from the new worm.”

As you hopefully know Microsoft never sends executables along with their emails. So social engineering attempts like these can be spotted easily, at least in theory.

And don’t forget, if you got infected with Sinowal, even if you have cleaned your system you still have to change your passwords.