Internet threat level: 1
Home→Descriptions→Trojan-PSW.Win32.LdPinch.ur
Trojan-PSW.Win32.LdPinch.ur
| Detected | Sep 26 2005 08:49 GMT |
| Released | Sep 26 2005 08:49 GMT |
| Published | Jun 16 2006 13:05 GMT |
Payload
Removal instructions
Technical Details
This Trojan is designed to steal user passwords.
It is a Windows PE EXE file. The size of the infected file may vary between 21KB to 86KB. It is packed using FSG.
Payload
Once launched, the Trojan will stop and disable the following services:
AVPCC AVWUpSrv NOD32krn Ahnlab task Scheduler alerter AlertManger AVExch32Service avg7alrt avg7updsvc AvgCore AvgFsh AvgServ avpcc AVUPDService AvxIni awhost32 backweb client - 4476822 BackWeb Client - 7681197 backweb client-4476822
It also launches a stream which will terminate the processes listed below at 1 second intervals:
Avp32 VSMON ZAPRO APVDWIN PAVSRV51 NOD32KUI avpcc WEBPROXY navpw32 PccPfw ATUPDATER AUPDATE AUTODOWN AUTOTRACE AUTOUPDATE AVPUPD AVWUPD32 AVXQUAR
The Trojan adds the following entry to the system registry:
"<path to Trojan program>"="<path to Trojan program>:*:Enabled:<Trojan name>"
The Trojan harvests information about the hard disk, how much free space remains on the disk, the current user’s account, the version of the operating system, the type of processor, screen options, operating system folders, programs installed on the computer.
The Trojan also collects the following data about the system:
- It reads the path to the installation directory for TheBat! in the following registry section:
[HKCU\Software\RIT\The Bat!]
and searches the directory for the following files: ,pre>account.cfg account.cfn - It reads the path to the ICQ directory from the following registry section:
[HKLM\Software\Mirabilis\ICQ\DefaultPrefs] [HKCU\Software\Mirabilis\ICQ\DefaultPrefs]
and searches the paths for files with a .dat extension. - It gets the values of the following system registry keys:
[HKCU\Software\Mirabilis\ICQ\NewOwners] [HKLM\Software\Mirabilis\ICQ\NewOwners]
- It reads the path to the Miranda directory in the following registry section:
[HKLM\Software\Miranda]
and searches the paths for files with a .dat extension. - The Trojan also searches the following registry key’s parameters:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
for parameters called &RQ.exe. If such a paremter is found, the Trojan gets the value of the parameter and uses it to search for a file called andrq.ini. - It gets information about dial-up connections on the system.
- The Trojan gets the path to the installtion folder for Trillian from the following registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
It reads the contents of users\global\profiles.ini, and extracts information about the current user profile. It also reads the user name and password from aim.ini. - It gets the path to the Ghisler directory from the following registry keys:
[HKCU\Software\Ghisler\Windows Commander] [HKCU\Software\Ghisler\Total Commander] [HKLM\Software\Ghisler\Windows Commander] [HKLM\Software\Ghisler\Total Commander]
It searches these directories for a file called wcx_ftp.ini, searches the file for the parameters listed below and gets their values:host Username Password directory method
- The Trojan gets the path to the directory from the following registry key:
[HKCU\Software\RimArts\B2\Settings]
It searches for a file called Mailbox.ini, searches the file for the following parameters, and gets their values:UserID MailAddress MailServer passwd
- It gets a list of accounts from the Microsoft Outlook address book.
- The Trojan gets the values of the following parameters from %WinDir%\edialer.ini:
LoginSaved PasswordSaved
- The Trojan gets a list of keys in [HKCU\Software\Far\Plugins\FTP\Hosts] and gets the values of the following parameters:
HostName user Password Description
Harvested data and the contents of files will be sent in compressed form to the remote malicious user by email as an attachment called report.bin.
The Trojan also launches an FTP server on the user's computer. The remote malicious user will then be able to connect to this server and gain access to files on the hard disk.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Trojan-PSW programs are designed to steal user account information such as logins and passwords from infected computers. PSW is an acronym of Password Stealing Ware.
When launched, a PSW Trojan searches system files which store a range of confidential data or the registry. If such data is found, the Trojan sends it to its “master.” Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Some such Trojans also steal registration information for certain software programs.
Trojan-PSW.
- Trojan:
PWS-LDPinch (McAfee) - Troj/LdPnch-Gen (Sophos)
- Trojan.
LdPinch-133 (ClamAV) - Trj/LdPinch.
OE (Panda) - W32/LdPinch.
G. gen!Eldorado (FPROT) - PWS:
Win32/Ldpinch (MS(OneCare)) - Trojan.
PWS. LDPinch. 493 (DrWeb) - Win32/PSW.
LdPinch trojan (Nod32) - Generic.
Dialer. 85C5D654 (BitDef7) - Trojan.
PWS. LdPinch. Gen. 6 (VirusBuster) - Win32:
PdPinch-Z [Trj] (AVAST) - Trojan-PWS.
Win32. LdPinch (Ikarus) - PSW.
Ldpinch. CNU (AVG) - TR/PSW.
LdPinch. RG. 4 (AVIRA) - Infostealer (NAV)
- W32/Suspicious_Gen.
MQJM (Norman) - Packer.
Win32. Agent. bk [Suspicious] (Rising) - Trojan-PSW.
Win32. LdPinch. ur [AVP] (FSecure) - Trojan.
PWS. LdPinch. Gen. 6 (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.