Win32/Tinba [Threat Name] go to Threat
Win32/Tinba.AX [Threat Variant Name]
| Category | trojan |
| Size | 76288 B |
| Aliases | Trojan.Win32.Tinba.viy (Kaspersky) |
| Trojan:Win32/Tinba.A (Microsoft) | |
| TR/Tinba.A.683 (Avira) |
Short description
Win32/Tinba.AX is a trojan that steals sensitive information. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\MsDtc\dwmc.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "MsDtc" = "%appdata%\MsDtc\dwmc.exe"
The following Registry entry is set:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "TabProcGrowth" = 1
The trojan launches the following processes:
- %originalmalwarefilename%
- verclsid.exe
The trojan creates and runs a new thread with its own code within these running processes.
The trojan creates and runs a new thread with its own program code within the following processes:
- chrome.exe
- firefox.exe
- iexplore.exe
- maxthon.exe
Information stealing
Win32/Tinba.AX is a trojan that steals sensitive information.
The trojan collects sensitive information when the user browses certain web sites.
The following programs are affected:
- Google Chrome
- Internet Explorer
- Maxthon Cloud Browser
- Mozilla Firefox
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- monitor network traffic
- modify network traffic
- modify the content of websites
- block access to specific websites
- redirect network traffic
- update itself to a newer version
- uninstall itself
- send gathered information
The trojan keeps various information in the following files:
- %appdata%\MsDtc\setc.db
- %appdata%\MsDtc\data.db
The trojan hooks the following Windows APIs:
- HttpOpenRequestA (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetReadFile (wininet.dll)
- PR_Close (nss3.dll)
- PR_Read (nss3.dll)
- PR_Write (nss3.dll)