Win32/Tinxy [Threat Name] go to Threat

Win32/Tinxy.BJ [Threat Variant Name]

Category trojan
Size 223744 B
Detection created Mar 26, 2010
Detection database version 4978
Aliases Net-Worm.Win32.Koobface.fym (Kaspersky)
  W32.Koobface (Symantec)
  Generic.dx!srq (McAfee)
Short description

The trojan serves as a proxy server.

Installation

When executed, the trojan creates the following files:

  • %system%\­clbcoko.dll
  • %system%\­drivers\­mrxoko.sys
  • %temp%\­w3oko.bat

The trojan registers itself as a system service using the following name:

  • DHCP Shortcut List Redirector

The trojan executes the following commands:

  • netsh firewall add allowedprogram name="ST330 OKO service" program="%SystemRoot%\­system32\­svchost.exe" mode=ENABLE
  • netsh firewall add portopening tcp 8085 "MyOKOPort" ENABLE

The performed command creates an exception in the Windows Firewall.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­swoko]
    • "FailureActions" = 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­swoko\­Parameters]
    • "ServiceDll" = "%system%\­clbcoko.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost]
    • "termsvc" = "swoko"

The trojan deletes the original file.

Other information

The trojan opens TCP port 8085 . A HTTP proxy is listening there.


The trojan can modify the downloaded data.


The trojan blocks access to any domains that contain any of the following strings in their name:

  • .iobit.com
  • .nai.com
  • 2-spyware.com
  • a-2.org
  • agnitum
  • ahnlab.com
  • aluriasoftware
  • antirootkit
  • anti-spy.info
  • antispywareoffensief
  • anti-trojan
  • antivir
  • antiviraldp
  • anti-virus
  • antivirus.com
  • antiy.net
  • attechnical
  • authentium
  • avast
  • avertlabs.com
  • avg.
  • avgate.net
  • avgfrance
  • avira.com
  • avp.
  • bitdefender
  • blackice
  • bleepingcomputer
  • bullguard.com
  • ccsoftware
  • centralcommand
  • clamav.net
  • cloudantivirus
  • combofix.org
  • commandondemand.com
  • comodo.com
  • cybertechhelp
  • deerfield
  • dialognauka
  • diamondcs
  • download.microsoft.com
  • drsolomon
  • drweb
  • eicar
  • emisoft
  • esafe
  • eset
  • exterminate-it.com
  • fileburst
  • finjan
  • fmsinc
  • forospyware
  • fortiguard
  • fortinet.com
  • f-prot.com
  • free-av
  • freeav.net
  • freefixer.com
  • freemirror.org
  • freerav.com
  • f-secure
  • gdata.de
  • gdatasoftware.com
  • gecadsoftware
  • geekstogo.com
  • gladiator-antivirus
  • gmer.net
  • greatis.com
  • grisoft
  • gwava
  • hackerwatch
  • help2go.com
  • hijackfree
  • hijackthis
  • housecall
  • iavs.cz
  • ieupdate
  • ikarus.
  • ika-rus.com
  • ikarus-software
  • incodesolutions.com
  • inline-software
  • javacoolsoftware
  • jiangmin
  • k7antivirus
  • k7computing.com
  • kaspersky
  • kerio
  • k-otik
  • lavasoft
  • liutilities
  • looknstop
  • maddoktor2.com
  • majorgeeks.com
  • malekal.com
  • malwarebytes
  • malwareremoval
  • malwareteks
  • mcafee
  • megasecurity
  • microworldsystems
  • misec
  • moosoft
  • myantispyware.com
  • my-etrust
  • networkassociates
  • noadware
  • nod32
  • norman.com
  • norman.no
  • norton.com
  • nprotect.com
  • nsclean
  • onecare.live
  • openantivirus
  • pandasecurity
  • pandasoftware
  • pc1news.com
  • pcastuces.com
  • pctools.com
  • pestpatrol
  • prevx.
  • prevx1.
  • psnw.
  • pspl.
  • quickheal.co.in
  • ravantivirus
  • risingav
  • rising-global
  • rising-russia
  • runscanner
  • safer-networking
  • safetynet
  • sald.com
  • securelist
  • securitoo
  • securitycadets
  • secuser
  • silentrunners
  • simplysup
  • sophos
  • spyblocker-software
  • spybot.info
  • spycop
  • spynet.microsoft
  • spynet2.microsoft
  • spynettest.microsoft
  • spywarefri
  • spywareguide
  • spywarehammer
  • spywareinfo
  • spywareinfoforum
  • spywarewarrior
  • stiller
  • stopbadware
  • sunbeltsecurity
  • sunbeltsoftware
  • superantispyware
  • sybari
  • sygate
  • symantec
  • sysinternals.com
  • tallemu
  • techguy.org
  • thespykiller
  • threatexpert.com
  • threatfire.com
  • threatsense
  • tinysoftware
  • toonbox
  • trapware
  • trendmicro
  • trend-micro
  • trendsecure
  • trojaner-board
  • turvamies
  • viguard
  • virscan.org
  • virusbuster
  • virusinfo.info
  • viruslist
  • virustorjunta.net
  • virustotal
  • visualizesoftware
  • vsantivirus
  • whatthetech
  • wilderssecurity
  • wildlist
  • windowsupdate
  • winpatrol
  • x-cleaner
  • zebulon.fr
  • zeylstra
  • z-oleg.com
  • zonealarm.com
  • zonelabs
  • zonelog

The trojan may display the following message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.