Win32/Alinaos [Threat Name] go to Threat

Win32/Alinaos.I [Threat Variant Name]

Category trojan
Size 348672 B
Detection created Jul 23, 2015
Detection database version 11985
Aliases Trojan.Win32.Yakes.lfpi (Kaspersky)
  Trojan:Win32/Dynamer!ac (Microsoft)
Short description

Win32/Alinaos.I is a trojan that steals sensitive information. The trojan is probably a part of other malware.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­LiveInc\­mbarservice.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "mbarservice" = "%appdata%\­LiveInc\­mbarservice.exe"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "identifier" = "%variable%"

A string with variable content is used instead of %variable% .


The trojan may create the following files:

  • \­\­.\­pipe\­localjo%variable%
Information stealing

The trojan collects the following information:

  • credit card information

The collected information is stored in the following file:

  • %appdata%\­LiveInc\­output.dat
Other information

The trojan attempts to delete the following files:

  • %appdata%\­adobeflash.exe
  • %appdata%\­desktop.exe
  • %appdata%\­dwm.exe
  • %appdata%\­java.exe
  • %appdata%\­javaj.exe
  • %appdata%\­jucheck.exe
  • %appdata%\­jusched.exe
  • %appdata%\­win-firewall.exe
  • %appdata%\­windefender.exe

The following programs are terminated:

  • %appdata%\­adobeflash.exe
  • %appdata%\­desktop.exe
  • %appdata%\­dwm.exe
  • %appdata%\­java.exe
  • %appdata%\­javaj.exe
  • %appdata%\­jucheck.exe
  • %appdata%\­jusched.exe
  • %appdata%\­win-firewall.exe
  • %appdata%\­windefender.exe

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan can detect presence of debuggers and other analytical tools.


The trojan quits immediately if it is run within a debugger.


The trojan quits immediately if any of the following Registry keys/values is detected:

  • [HKEY_LOCAL_MACHINE\­HARDWARE\­ACPI\­DSDT\­PTLTD_]
  • [HKEY_LOCAL_MACHINE\­HARDWARE\­ACPI\­DSDT\­VBOX__]
  • [HKEY_LOCAL_MACHINE\­HARDWARE\­ACPI\­DSDT\­AMIBI]

The trojan quits immediately if it detects a window containing one of the following strings in its title:

  • 18467-41
  • 259C91A0
  • DeFixed
  • FileMonClass
  • HANOLLY
  • ID
  • MYDEBUG
  • OLLYDBG
  • OWL_Window
  • TDiEfrm
  • TIdaWindow
  • Tokno_konfig
  • VBoxTrayToolWndClass
  • YPOGEiOS

Trojan quits immediately if it detects loaded module within its own process or other running processes containing one of the following strings in its name:

  • 16Edit.DLL
  • BOOKMARK.DLL
  • Cmdline.dll
  • DeviareCOM.dll
  • Nektra.Deviare2.dll
  • SbieDll.dll
  • apimonitor-drv-x86.sys
  • linux_stub.plw
  • mac_stub.plw
  • pluzina1.dll
  • pluzina2.dll
  • pluzina3.dll
  • pluzina4.dll
  • procs.dll
  • realign.dll
  • win32_stub.plw
  • win32_user.plw
  • wince_stub.plw

The trojan modifies the program code of the following Windows APIs:

  • DbgBreakPoint (ntdll.dll)
  • DbgUiRemoteBreakin (ntdll.dll)

The trojan may display a fake error messages:

  • error 1011
  • error 1012

Please enable Javascript to ensure correct displaying of this content and refresh this page.