Win32/Tinba [Threat Name] go to Threat

Win32/Tinba.AX [Threat Variant Name]

Category trojan
Size 76288 B
Aliases Trojan.Win32.Tinba.viy (Kaspersky)
  Trojan:Win32/Tinba.A (Microsoft)
  TR/Tinba.A.683 (Avira)
Short description

Win32/Tinba.AX is a trojan that steals sensitive information. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­MsDtc\­dwmc.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MsDtc" = "%appdata%\­MsDtc\­dwmc.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "TabProcGrowth" = 1

The trojan launches the following processes:

  • %originalmalwarefilename%
  • verclsid.exe

The trojan creates and runs a new thread with its own code within these running processes.

The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • maxthon.exe
Information stealing

Win32/Tinba.AX is a trojan that steals sensitive information.

The trojan collects sensitive information when the user browses certain web sites.

The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Maxthon Cloud Browser
  • Mozilla Firefox

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • monitor network traffic
  • modify network traffic
  • modify the content of websites
  • block access to specific websites
  • redirect network traffic
  • update itself to a newer version
  • uninstall itself
  • send gathered information

The trojan keeps various information in the following files:

  • %appdata%\­MsDtc\­setc.db
  • %appdata%\­MsDtc\­data.db

The trojan hooks the following Windows APIs:

  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • PR_Close (nss3.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.