Win32/Tinba [Threat Name] go to Threat

Win32/Tinba.BA [Threat Variant Name]

Category trojan
Size 184320 B
Detection created Aug 01, 2014
Detection database version 10187
Aliases Trojan.Win32.Tinba.ip (Kaspersky)
  Pakes.NAJ.trojan (AVG)
Short description

Win32/Tinba.BA is a trojan that steals sensitive information.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­SpeechEngines\­spcommon.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SpeechEngines" = "%appdata%\­SpeechEngines\­spcommon.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "TabProcGrowth" = 1

The trojan launches the following processes:

  • hh.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • maxthon.exe
Information stealing

Win32/Tinba.BA is a trojan that steals sensitive information.


The trojan collects sensitive information when the user browses certain web sites.


The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Maxthon Cloud Browser
  • Mozilla Firefox

The trojan can send the information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • monitor network traffic
  • modify network traffic
  • modify the content of websites
  • block access to specific websites
  • redirect network traffic

The trojan keeps various information in the following files:

  • %appdata%\­SpeechEngines\­version.dat
  • %appdata%\­SpeechEngines\­InkObj.dat

The trojan hooks the following Windows APIs:

  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • PR_Close (nss3.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.