Win32/Tinba [Threat Name] go to Threat

Win32/Tinba.AA [Threat Variant Name]

Category trojan
Size 19968 B
Detection created Jun 06, 2012
Detection database version 7200
Aliases Trojan:Win32/Tinba.A (Microsoft)
Short description

Win32/Tinba.AA is a trojan that can interfere with the operation of certain applications. The trojan collects information used to access certain sites. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %allusersprofile%\­Application Data\­default\­bin.exe

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "(Default)" = "%allusersprofile%\­Application Data\­default\­bin.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1609" = 0

The trojan attempts to modify the following file:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­user.js

The trojan writes the following entries to the file:

  • user_pref("security.warn_submit_insecure",false);user_pref("security.warn_viewing_mixed",false);

The trojan creates and runs a new thread with its own program code within the following processes:

  • %system%\­winver.exe
  • explorer.exe
  • iexplore.exe
  • firefox.exe
  • chrome.exe
Information stealing

The trojan acquires data and commands from a remote computer or the Internet.


The trojan collects information used to access the following site:

  • https://*
  • *accounts.google.*/ServiceLoginAuth*
  • *facebook.*/login.php*
  • *service.gmx.*/cgi/login*

The trojan can modify network traffic.


The trojan collects the following information:

  • disk serial number (without spaces)

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan contains a list of (5) URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %allusersprofile%\­Application Data\­default\­bin.exe
  • %allusersprofile%\­Application Data\­default\­cfg.dat
  • %allusersprofile%\­Application Data\­default\­web.dat

The HTTP protocol is used.


The trojan hooks the following Windows APIs:

  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • PR_Write (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Close (nspr4.dll)
  • PR_DestroyPollableEvent (nspr4.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.