I don't think current Sinowal is easy to detect. If you do a google on it, you find loads of detection and removal instructions but they are all obsolete - a year old or more. They all involve looking for certain files, etc. None of them work.

I agree that running under another O/S is the way to do this...

I did phone Zen; I agree they are a great company (which is why I have been with them for years) but in this case they had nothing to say. They seem to subscribe to some outfit which emails them notifications of dodgy activity versus IP or IP range.