Win32/Alinaos [Threat Name] go to Threat

Win32/Alinaos.E [Threat Variant Name]

Category trojan
Size 155136 B
Detection created Jul 12, 2014
Detection database version 10087
Aliases TrojanSpy:Win32/Alinaos.G (Microsoft)
  Win32:Wirenet-G (Avast)
Short description

Win32/Alinaos.E is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Install\­teamviewer.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "teamviewer" = "%appdata%\­Install\­teamviewer.exe"

The trojan creates the following file:

  • %appdata%\­Install\­ntfs.dat

The trojan may create the following folders:

  • %appdata%\­{89C7131A-4A0B-44B8-9527-F097EF67E9E3}
Information stealing

Win32/Alinaos.E is a trojan that steals sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • credit card information
  • list of disk devices and their type
  • computer name

The trojan steals login credentials related to following applications:

  • WinVNC
  • RealVNC
  • TigerVNC

The trojan attempts to send gathered information to a remote machine.


The trojan sends the information via e-mail.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used in the communication.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • delete files

The following programs are terminated:

  • %appdata%\­kos.exe
  • %appdata%\­kos1.exe
  • %appdata%\­kos2.exe
  • %appdata%\­kos3.exe
  • %appdata%\­kos4.exe
  • %appdata%\­kos5.exe
  • %appdata%\­kos6.exe

The trojan attempts to delete the following files:

  • %appdata%\­kos.exe
  • %appdata%\­kos1.exe
  • %appdata%\­kos2.exe
  • %appdata%\­kos3.exe
  • %appdata%\­kos4.exe
  • %appdata%\­kos5.exe
  • %appdata%\­kos6.exe
  • %temp%\­Qiqovaben.dll
  • %temp%\­Rimogivofeh.dll
  • %temp%\­Luwatigoril.dll
  • %temp%\­Cebakiro.ohu

Please enable Javascript to ensure correct displaying of this content and refresh this page.