Trojan-PSW.Win32.LdPinch.ato

Technical Details
Payload
Removal instructions

Technical Details

This Trojan is one of a family of Trojans which steals user passwords. It is designed to steal confidential data. It harvests user names and passwords for a range of services and programs. It also harvest system information. The file is 21,398 bytes in size. It is packed using MEW. The unpacked file is approximately 280KB in size.

Payload

The Trojan harvests information about the hard disk, how much free space remains on the disk, the current user’s account, the network name of the victim machine, the version of the operating syste, localisation, the type of processor, screen options, programs installed on the computer, active processes and dial-up connections.

The Trojan harvests information from account.cfg and account.cfn which are located in the following directories:

%AppData%\The Bat
%AppData%\BatMail

The Trojan then gets the path to the The Bat! directory by using the following registry keys:

[HKLM\Software\RIT\The Bat!] 
Working Directory or ProgramDir

It then searches for account.cfg and account.cfn and reads their contents.

The Trojan gets information about ICQ databases from the following registry branch:

[HKLM\Software\Mirabilis\ICQ\DefaultPrefs]

and information about ICQ users from the following branch:

[HKLM\Software\Mirabilis\ICQ\NewOwners]

by using the following registry key

[HKLM\Software\Miranda]
Install_Dir

the Trojan gets the path to the Miranda directory. It searchs this directory for files with a .dat extension; it extracts account numbers and passwords to user accounts from these files.

It gets the path to the Trillian directory, and extracts from its configuration files confidential user information.

The Trojan also harvests the following data:

• user name and passwords to remote connections;
• passwords for Windows Commander and Total Commander;
• passwords for CuteFTP, CuteFTP PRO;
• saved Mozilla and Opera passwords;
• saved FileZilla passwords;
• user names and passwords to Mail.Ru Agent;
• passwords to FAR FTP connections;
• passwords to Thunderbird;
• passwords and logs for Punto Switcher;
• passwords to AIM, GAIM, Eudora, E-Dialer, Outlook, INETCOMM Server, CoffeeCup Software, FlashXP, MirIM, SmartFTP;
• information from %WinDir%\win.ini

Harvested data will be encrypted and saved to C:\sourcefile.dat, which will then be sent to the remote malicious user's server as an HTML request:

http://readnews.ru/lamer/********/gate.php

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following file:

   C:\sourcefile.dat

4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).