Win32/Tinukebot [Threat Name] go to Threat

Win32/Tinukebot.B [Threat Variant Name]

Category trojan
Size 81467 B
Detection created Jun 08, 2017
Detection database version 15550
Aliases Trojan:Win32/Skeeyah.A!bit (Microsoft)
Short description

Win32/Tinukebot.B is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following folders:

  • %appdata%\­%variable1%
  • %variablefolder%\­%variable2%.tmp

Instead of %variablefolder% following strings are used:

  • %temp%
  • %windir%\­Temp
  • %temp%\­Low

The trojan may create the following files:

  • %variablefolder%\­Palaeoanthropology.bin (26830 B)
  • %variablefolder%\­%variable1%64
  • %variablefolder%\­%variable1%32

The files contain encrypted executables.


The trojan creates the following files:

  • %variablefolder%\­syphilisations.dll (23040 B, Win32/Injector.DQOJ)
  • %variablefolder%\­%variable2%.tmp\­System.dll (11264 B)

The files are then executed.


The trojan creates the following file:

  • %variablefolder%\­%variable1%

The trojan copies itself to the following location:

  • %appdata%\­%variable1%\­%variable1%.exe

This copy of the trojan is then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%appdata%\­%variable1%\­%variable1%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "TabProcGrowth" = 0
    • "NoProtectedModeBanner" =1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3

The trojan attempts to modify the following file:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­%variable3%\­prefs.js

A string with variable content is used instead of %variable1-3% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP, TCP protocol is used in the communication.


The trojan can download and execute a file from the Internet.


The files are stored in the following locations:

  • %variablefolder%\­%variable1%64
  • %variablefolder%\­%variable1%32

The files contain encrypted executables.


A string with variable content is used instead of %variable1% .


Instead of %variablefolder% following strings are used:

  • %temp%
  • %windir%\­Temp
  • %temp%\­Low

The trojan creates and runs a new thread with its own program code within the following processes:

  • %system%\­dllhost.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.