Trojan-PSW.Win32.LdPinch.akv

Technical Details
Payload
Removal instructions

Technical Details

This Trojan is a Windows PE EXE file. The file is 10,757 bytes in size. It is packed using FSG. The unpacked file is approximately 60KB in size. It is written in Delphi.

Payload

When launching, the Trojan launches a system process, svchost.exe, and injects its code into this process. It then deletes its original file.

The code injected into the process waits for a connection to the Internet, and downloads files from the following links:

http://85.***.23.36/o/4.exe
http://85.***.23.37/e/444.exe

(At the time of writing, these links were not working.)

The Trojan saves the files it has downloaded to its current directory under the following names:

csrss.exe
smss.exe

The files are then launched for execution.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2. Delete the files downloaded by the Trojan.
3. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).