Aliases: N/A
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 15 Jul 2002
Damage: High

Characteristics: The W32.Sinista application is a Trojan virus that enables unauthorized access to the PC. It is written using the VB or Microsoft Visual Basic programming language.

More details about W32.Sinista

The W32.Sinista program is a Trojan horse that enables unauthorized access to the PC system. It is written with the Microsoft VB or Visual Basic programming language. It duplicates itself as “C:\%system%RunDLL8.exe”, “C:\%windir%Matrix.scr”, “C:WindowsAll usersStart menuProgramsStartupNav.exe(only under Windows Me/98/95)”, or “A:.exe”. The “%windir%” is a variable. The Trojan horse searches the Windows main setup folder (by default this is C:Winnt or C:Windows) and duplicates itself to that specific location. The “%system%” is a variable. The Trojan horse searches for the System folder. By default this is C:WinntSystem32 (Windows NT/2000), C:WindowsSystem (Windows 95/98/Me), or C:WindowsSystem32 (Windows XP), and duplicates itself to that specific location.

This virus application may enter a computer through security errors and system vulnerabilities. It may be downloaded by another Trojan application on the computer. The Trojan software may automatically be downloaded on the user’s computer when the user accesses websites that are not secure. This happens when the affected computer is not protected by a security program or a firewall. W32.Sinista makes the “current versionun” subkey in the registry key and adds the value “RunDLL C:\%System%RunDLL8.exe” to this subkey. Because of the bug in the program of Trojan, “C:\%System%RunDLL8.exe” isn’t opened when you reboot Windows. To the registry key, the Trojan horse also adds a value that refers to its duplicate on drive A. The Trojan horse then adds the “[windows]run=C:Windowsmatrix.scr” line to “[windows]” line to section of the “Win.ini” file. This causes the Trojan horse to open when you open windows.