Home / malwarePDF  

TrojanDownloader:Win32/Tinbanker.A


First posted on 01 February 2013.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Tinbanker.A is also known as Win-Trojan/Wecod.422400 (AhnLab), Trojan.Win32.Wecod.ys (Kaspersky), Trojan.Win32.Wecod (Ikarus).

Explanation :



Installation

TrojanDownloader:Win32/Tinbanker.A may have the following file name:

<system folder>\mplayer2.exe

It creates the following entry so that it automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "wmplayer"
With data: "<system folder>\mplayer2.exe"

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".



Payload

Changes Internet Explorer settings

TrojanDownloader:Win32/Tinbanker.A prevents Internet Explorer from checking for signatures in a downloaded program to confirm its legitimacy:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Sets value: "CheckExeSignatures"
With data: "no"

It also prevents Windows from marking file attachments using their zone information:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
Sets value: "SaveZoneInformation"
With data: "00000001"

TrojanDownloader:Win32/Tinbanker.A sets certain files as low-risk, even though these file types are commonly used by malware:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Sets value: "LowRiskFileTypes"
With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"

Downloads other malware

TrojanDownloader:Win32/Tinbanker.A downloads a RAR file named Geral.rar from a URL. The RAR archive contains the following file:

<system folder>\revents.dll - detected as TrojanSpy:Win32/Tinbanker.A

Additional information

TrojanDownloader:Win32/Tinbanker.A also creates the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
Sets value: "Platform"
With data: "gecko/20100101 firefox/16.0"



Analysis by Zarestel Ferrer

Last update 01 February 2013

 

TOP

Malware :

Family: