Win32/Tinba [Threat Name] go to Threat

Win32/Tinba.AH [Threat Variant Name]

Category trojan
Size 50136 B
Detection created Nov 08, 2012
Detection database version 7672
Aliases Trojan-Spy.Win32.SpyEyes.agqh (Kaspersky)
  Trojan:Win32/Tinba.A (Microsoft)
Short description

Win32/Tinba.AH is a trojan that steals sensitive information. The trojan is usually a part of other malware.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­klk3pqs\­z3t.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "klk3pqs" = "%appdata%\­klk3pqs\­z3t.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1609" = 0

The trojan can modify the following file:

  • %appdata%\­Mozilla\­Firefox\­%profile%\­user.js

The trojan writes the following entries to the file:

  • user_pref("security.warn_submit_insecure",false);user_pref("security.warn_viewing_mixed",false);

The trojan launches the following processes:

  • winver.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
Information stealing

Win32/Tinba.AH is a trojan that steals sensitive information.


The trojan collects sensitive information when the user browses certain web sites.


The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

The trojan can send the information to a remote machine.


The trojan contains an URL address. The HTTP protocol is used.

Other information

The trojan hooks the following Windows APIs:

  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • PR_DestroyPollableEvent (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)

It can execute the following operations:

  • monitor network traffic
  • modify network traffic
  • modify website content
  • block access to specific websites

Please enable Javascript to ensure correct displaying of this content and refresh this page.