Internet threat level: 1
Home→Descriptions→Trojan-PSW.Win32.LdPinch.abm
Trojan-PSW.Win32.LdPinch.abm
| Detected | Mar 15 2006 15:36 GMT |
| Released | Jan 20 2010 17:07 GMT |
| Published | Mar 15 2006 15:36 GMT |
Payload
Removal instructions
Technical Details
This Trojan program is designed to steal confidential user data. It harvests user names and passwords to a range of services and programs, and incorporates an SMTP server.
The Trojan is a Windows PE EXE file, written in C++, and is 58410 bytes in size.
Once launched, the Trojan copies itself to the Windows root directory under the executable file's original name:
%Windir%\<original Trojan name>.exe
The original executable file is then deleted.
The Trojan registers this file in the system registry to ensure that the Trojan file will be launched each time Windows is rebooted on the victim machine.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "putil" = "%Windir%\<original Trojan name>.exe"
The Task Manager will display the Trojan as a process called <original Trojan name>.
Payload
The Trojan scans the following branches of the system registry, and attempts to harvest passwords which have been saved in the associated programs.
[HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander]
[HKEY_LOCAL_MACHINE\Software\Ghisler]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\&RQ]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
[HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\DefaultPrefs]
[HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Mirabilis]
[HKEY_LOCAL_MACHINE\Software\Miranda]
[HKEY_USERS\.Default\Software\Far\Plugins\FTP\Hosts]
[HKEY_USERS\.Default\Software\Far\Plugins\FTP]
[HKEY_USERS\.Default\Software\Far\Plugins]
[HKEY_USERS\.Default\Software\Far]
[HKEY_USERS\.Default\Software\Ghisler\Total Commander]
[HKEY_USERS\.Default\Software\Ghisler\Windows Commander]
[HKEY_USERS\.Default\Software\Microsoft\Internet Account Manager\Accounts]
[HKEY_USERS\.Default\Software\Microsoft\Internet Account Manager]
[HKEY_USERS\.Default\Software\Mirabilis\ICQ\DefaultPrefs]
[HKEY_USERS\.Default\Software\Mirabilis\ICQ\NewOwners]
[HKEY_USERS\.Default\Software\Mirabilis\ICQ\NewOwners]
[HKEY_USERS\.Default\Software\Mirabilis\ICQ]
[HKEY_USERS\.Default\Software\Mirabilis]
[HKEY_USERS\.Default\Software\RIT\The Bat!]
[HKEY_USERS\.Default\Software\RIT]
The harvested information is periodically sent to a remote malicious user's email address.
Removal instructions
Äëÿ ðóÞíîãî óäàëåíèÿ ïðîãðàììû ñëåäóåò âûïîëíèòü ñëåäóþùèå äåéñòâèÿ:
- In Task Manager, terminate the process with the Trojan name
- Delete the Trojan file from the Windows root directory
- Delete the following system registry keys
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "putil"="%Windir%\<original Trojan name>.exe"
- Perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus).
Trojan-PSW programs are designed to steal user account information such as logins and passwords from infected computers. PSW is an acronym of Password Stealing Ware.
When launched, a PSW Trojan searches system files which store a range of confidential data or the registry. If such data is found, the Trojan sends it to its “master.” Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Some such Trojans also steal registration information for certain software programs.
Trojan-PSW.
- Trojan-Spy.
Win32. LdPinch. abm (Kaspersky Lab)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.