Sinowal virus steals identity and loots accounts.
This one is nasty!!
This virus has successfully looted bank accounts for three years! And, using information taken from your PC, it can go into other environments as well. This is not merely a virus that corrupts your hard drive and costs you time and money. Destructive as they may be, the damage is contained and local. This is about identity piracy which can wipe out savings, investments and any other financial entity that is vital to your financial security. And, it's said to be the most canny of the lot and the hardest to detect!
The architecture of this software, how it works and how it is installed is novel to say the least! After installation, it sits there waiting for the next boot cycle. If, as one example, you are logged onto to automatic upgrades from MS, the software doesn't come alive until after the upgrade. When your PC is restarted, it's turned on first, before anything else in the boot cycle occurs, including the virus detection software. Then it just sits there and waits for you to log on to a site.
It then places new icons on your screen that are made to appear to be part of the normal environment. Those images are not coming from your bank's web site but from the software!
These devices prompt you to confirm your log on data, password, social security, etc. That information is then transmitted back over the Internet to the source where it is used transparently to bilk dollars.
I suggest you contact your virus protection supplier whether it be Norton, Macafee, Micosoft, et al and see if their existing virus detection cataloges include scans for this one. I also suggest you contact your bank's Internet support staff and make sure that they have a handle on this.
Another important point: the developers have managed to cloak the software by altering it's identity on a regular basis. This plot has successfully gotten the software into host computers without detection. Because it is changing the color of its spots constantly, it is not sufficient to update your virus list anything less than daily. Yesterday's list is useless today given the aggressive nature of this software.
Since apparently this software is energized only on start up, it suggests that you should keep to an absolute minimum, the number of times you reboot any computer with Internet access.
Here is a cut and paste from the article. The entire article is available via the link at the bottom of this page.
Sinowal also is unique in that hides in the deepest recesses of a host computer, an area known as the "Master Boot Record." The MBR is akin to a computer's table of contents, a file system that loads even before the operating system boots up. According to security experts, many anti-virus programs will remain oblivious to such a fundamental compromise. What's more, completely removing the Trojan from an infected machine often requires reformatting the system and wiping any data stored on it.
The Trojan lies in wait until the victim visits one of more than 2,700 bank and e-commerce sites hard-coded into the malware, at which point it injects new Web pages or information fields into the victim's Web browser. For example, Sinowal can falsely prompt an unsuspecting victim for personal information, such as a Social Security number or password when he or she visits one of the targeted financial institution Web sites. Any stolen data is regularly uploaded to Web servers controlled by the Trojan's authors.
- Don't forget to VOTE, VOTE, VOTE !(Actually, only vote once!)After voting, why don't you head to Mallard Lodge tonight and meet other Star Gazers that voted...!7PM ESTPj
Tim Milligan...please email the combination for the lock to me...my version is not current...just in case you find a pretty lady in distress and re-prioritize your priorities.
my email address is
Paul Riley <dmsg_pjr@...>
Sent by: email@example.com
11/04/2008 07:00 AMPlease respond to
firstname.lastname@example.orgSubject [delmarvastargazers] Meeting tonight
Don't forget to VOTE, VOTE, VOTE !
(Actually, only vote once!)
After voting, why don't you head to Mallard Lodge tonight and meet other Star Gazers that voted...!
This communication is for use by the intended recipient and contains information that may be Privileged, confidential or copyrighted under applicable law. If you are not the intended recipient, you are hereby formally notified that any use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. Please notify the sender by return e-mail and delete this e-mail from your system. Unless explicitly and conspicuously designated as "E-Contract Intended", this e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer. This e-mail does not constitute a consent to the use of sender's contact information for direct marketing purposes or for transfers of data to third parties. Francais Deutsch Italiano Espanol Portugues Japanese Chinese Korean http://www.DuPont.com/corp/email_disclaimer.html
- For whom do you want us to vote?
Just kidding!On Tue, Nov 4, 2008 at 7:00 AM, Paul Riley <dmsg_pjr@...> wrote:Don't forget to VOTE, VOTE, VOTE !(Actually, only vote once!)After voting, why don't you head to Mallard Lodge tonight and meet other Star Gazers that voted...!7PM ESTPj
"By deepening our understanding of the true nature of physical reality, we profoundly reconfigure our sense of ourselves and our experience of the universe."
- physicist Brian Greene
"Sometimes the way a message unfolds its meaning is the most important meaning it offers."
- Brooks Landon
"Why should a sequence of words be anything but a pleasure?"
- saying attributed to Gertrude Stein
- The first detected GRB event ever detected on the sun was picked up by
the Fermi Gamma-Ray Space Telescope (formerly known as the Gamma-ray
Large Area Space Telescope (GLAST)) today.
Here's the announcement message:
DATE: 08/11/04 16:34:49 GMT
FROM: Chryssa Kouveliotou at MSFC
C. Kouveliotou (NASA/MSFC) and M.S. Briggs (UAHuntsville) report on
behalf of the Fermi GBM Team:
At 20:14:42.77 UT on 02 November 2008, the Fermi GBM triggered and
located a very soft and bright event (trigger 247349683 / 081102844).
The event location was RA = 217.6 deg, dec = -15.7 deg (+/- 1.1 deg), in
excellent agreement with the Sun location. The time of the event
coincides with the solar activity reported in the GOES solar reports
(event 9790: onset at 2012 UT, max at 2015 UT, end at 2017, B5.7 flare).
This is the first GBM detection of a solar flare; future detections will
not be reported in a GCN Circular, unless they exhibit special
The GBM light curve shows a multiple peak event lasting approximately
177 s (8-30 keV). The time-averaged spectrum from T0-13.824 s to
T0+163.33 s is best fit by a single power law model with index -6.55 +/-
0.03 (chi squared 255 for 120 d.o.f.). The event fluence (8-30 keV) in
this time interval is (1.54 +/- 0.03) E-4 erg/cm^2.
The spectral analysis results presented above are preliminary.