Internet threat level: 1
Home→Descriptions→Trojan-PSW.Win32.LdPinch.zm
Trojan-PSW.Win32.LdPinch.zm
| Detected | Nov 30 2005 14:22 GMT |
| Released | Nov 30 2005 17:29 GMT |
| Published | May 11 2006 16:08 GMT |
Payload
Technical Details
This Trojan is designed to steal confidential information. The Trojan itself is a Windoes PE EXE file 20205 bytes in size, packed using MEW. The unpacked file is approximately 120KB in size.
Installation
Once launched, the Trojan creates a file called ssmc.dll, which is 19968 byts in size, in the Windows root directory.
Payload
The Trojan scans the branches of the system registry listed below, and attempts to harvest passwords.
[HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander]
[HKEY_LOCAL_MACHINE\Software\Ghisler]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\&RQ]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
[HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\DefaultPrefs]
[HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ]
[HKEY_LOCAL_MACHINE\Software\Mirabilis]
[HKEY_LOCAL_MACHINE\Software\Miranda]
[HKEY_USERS\.DEFAULT\Identities\{AF3274A0-6E41-11DA-83A4-C394B5B26C06}\Software\Microsoft\Internet Account Manager\Accounts]
[HKEY_USERS\.DEFAULT\Identities\{AF3274A0-6E41-11DA-83A4-C394B5B26C06}\Software\Microsoft\Internet Account Manager]
[HKEY_USERS\.DEFAULT\Software\Far\Plugins\FTP\Hosts]
[HKEY_USERS\.DEFAULT\Software\Far\Plugins\FTP]
[HKEY_USERS\.DEFAULT\Software\Far\Plugins]
[HKEY_USERS\.DEFAULT\Software\Far]
[HKEY_USERS\.DEFAULT\Software\Ghisler\Total Commander]
[HKEY_USERS\.DEFAULT\Software\Ghisler\Windows Commander]
[HKEY_USERS\.DEFAULT\Software\Ghisler]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Account Manager\Accounts]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Account Manager]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\DefaultPrefs]
[HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\NewOwners]
[HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ]
[HKEY_USERS\.DEFAULT\Software\Mirabilis]
[HKEY_USERS\.DEFAULT\Software\RIT\The Bat!]
[HKEY_USERS\.DEFAULT\Software\RIT]
From time to time, this information will be sent to the remote malicious user via email.
Trojan-PSW programs are designed to steal user account information such as logins and passwords from infected computers. PSW is an acronym of Password Stealing Ware.
When launched, a PSW Trojan searches system files which store a range of confidential data or the registry. If such data is found, the Trojan sends it to its “master.” Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Some such Trojans also steal registration information for certain software programs.
Trojan-PSW.
- Trojan:
PWS-LDPinch (McAfee) - Troj/LdPnch-Gen (Sophos)
- Heuristic.
WinPE-Statistical (Panda) - W32/LdPinch.
K. gen!Eldorado (FPROT) - PWS:
Win32/Ldpinch. gen (MS(OneCare)) - Trojan.
PWS. LDPinch. 722 (DrWeb) - Win32/TrojanDropper.
Small. NCP trojan (Nod32) - Dropped:
Trojan. Pws. Ldpinch. ZM (BitDef7) - Packed/MEW (VirusBuster)
- Win32:
Trojan-gen (AVAST) - Trojan-PWS.
Win32. LdPinch (Ikarus) - Dropper.
Generic. BAW. dropper (AVG) - TR/Crypt.
XDR. Gen (AVIRA) - Infostealer (NAV)
- W32/Packed_Mew.
C (Norman) - PWS-LDPinch (NAI)
- Trojan.
PSW. LdPinch. zp (Rising) - Trojan-PSW.
Win32. LdPinch. zm [AVP] (FSecure) - Cryp_MEW-11 (TrendMicro)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.