Win32/TriMore [Threat Name] go to Threat

Win32/TriMore.A [Threat Variant Name]

Category trojan
Size 12000 B
Aliases Trojan-Banker.Win32.Banker.af (Kaspersky)
  Trojan:Win32/TriMore.A (Microsoft)
  Mal/TibsPk-A (Sophos)
  Trojan.PWS.Banker (Dr.Web)
Short description

Win32/TriMore.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­sgtrt]
    • "IDwin" = "%variable1%"
    • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Updir]
    • "Date" = %variable2%

A string with variable content is used instead of %variable1-2% .

Information stealing

The trojan collects the following information:

  • computer name
  • user name
  • data from the clipboard
  • a list of recently visited URLs

The trojan is able to log keystrokes.


The collected information is stored in the following file:

  • %windir%\­sasing.ini

The trojan attempts to send gathered information to a remote machine.


The trojan sends the information via e-mail. The SMTP protocol is used.

Other information

The trojan contains a URL address.


It tries to download a file from the address.


The file is stored in the following location:

  • %system%\­mstasks1.exe

The file is then executed. The HTTP protocol is used.


The trojan can delete cookies.

Please enable Javascript to ensure correct displaying of this content and refresh this page.