Guide to Tinba

Description of Issue

Tinba is a Trojan that steals personal and confidential information and attempts to transmit stolen information from the infected computer to a list of command-and-control (C&C) servers and is able to add/remove files and folders, modify the Windows Registry and inject itself into other applications. Tinba also controls and records network traffic information in the certain file for retrieval by the attacker.  Tinba makes modifications to Mozilla Firefox to disable warning messages that would normally show if you are visiting a suspicious website. The modifications to the Windows Registry include code that will cause it to run automatically every time you start Windows.

Tinba will inject malicious code into Internet Explorer, Google Chrome and Mozilla Firefox as well as 'explorer.exe' (part of the file system browser in Windows).  It also attempts to stop 'svchost.exe' processes.


Platforms Affected

  • Windows 2000
  • Windows 7
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Server 2008
  • Windows Vista
  • Windows XP


Issue Verification

Tinba creates the following files:

  • file.exe (size: 19,968 bytes and md5sum 08ab7f68c6b3a4a2a745cc244d41d213)
  • %SystemDrive%\Documents and Settings\All Users\Application Data\default\bin.exe
  • %SystemDrive%\Documents and Settings\All Users\Application Data\default\web.dat

Tinba creates the following registry entries:

  • HKEY..\..\..\..{RegistryKeys}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1609" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"default" = "%SystemDrive%\Documents and Settings\All Users\Application Data\default\bin.exe"

Recommendation for Resolution

  • Run Norton Power Eraser (NPE) is known to remove this trojan.
  • The Norton Bootable Recovery Tool is known to help remove this trojan as well if NPE (above) does not work.
  • Windows systems files that are infected must be replaced with a Windows installation CD.
  • Most system wide infections are best dealt with by reinstalling the operating system with an up-to-date version and keeping the system constantly updated with vendor patches as they are released.  
  • Most trojan infections make the computer more susceptible to other infections and therefor there may be several infections on the compromised computer.


Article is closed for comments.
Powered by Zendesk