Internet threat level: 1
Home→Descriptions→Trojan-PSW.Win32.LdPinch.aup
Trojan-PSW.Win32.LdPinch.aup
| Detected | Nov 08 2006 12:58 GMT |
| Released | Aug 17 2007 14:53 GMT |
| Published | Nov 08 2006 12:58 GMT |
Payload
Removal instructions
Technical Details
This Trojan is designed to steal confidential information (user passwords). It is designed to steal a range of confidential information.
It is a Windows PE EXE file. The file is approximately 23KB in size. It is packed using UPX. The unpacked file is approximately 250KB in size. It is written in Assembler.
Installation
When launching, the Trojan extracts the following file from its body:
Payload
Once launched, the Trojan adds the following entry to the system registry:
"<name of Trojan program>"="<name of Trojan program>:*:Enabled:<name of Trojan without extension>"
The Trojan constantly searches for windows of the following classes: "AVP.AlertDialog", "AVP.AhAppChangedDialog", "AVP.AhLearnDialog". Within these windows it will emulate clicking on "Allow".
The Trojan constantly searches for windows where the title contains the following strings: "Sozdat’ pravilo dlya" or "Create a rule for" and emulates clicking on "Razreshit odnokratno" or "Allow Once" (the Russian and English terms are equivalent.
The Trojan also emulates clicking on "OK" in windows with the following titles:
- Vnimanie: Nekotoryie komponentyi izmenilis’
- Warning: Components Have Changed
- Skrityi protsess zaprashivaet setevoi dostup
- Hidden Process Requests Network Access
The Trojan harvests information about the hard disk, how much free space remains on the disk, the current user’s account, the network name of the victim machine, the version of the operating system, the type of processor, screen options, programs installed on the computer, active processes and dial-up connections.
The Trojan searches for the following files:
account.cfg account.cfn
In the following folders:
%UserProfile%\Application Data\The Bat!
It also searches folders indicated in the following registry key parameters for these files:
Working Directory
ProgramDir
It will harvest the contents of these files.
The Trojan gets the path to the Mirabilis ICQ client (if installed), searches for files with a DAT extension and harvests their contents.
Revert the system registry key values:
[HKLM\Software\Mirabilis\ICQ\NewOwners]
The Trojan reads the path to the Miranda client (if installed) from the following registry section:
Install_Dir
searches it for files with a DAT extension and harvest their contents.
The Trojan also searches the following registry key’s parameters:
for parameters called RQ.exe and RAT.exe. and uses them to search for a file called andrq.ini.
If it does not find these files, it gets the value from the following registry key:
UninstallString
and uses it to search for a file called andrq.ini.
The Trojan gets the path to the file with the Trillian client (if installed) from the following registry key:
It reads the contents of users\global\profiles.ini, and extracts information about the current user profile. It also reads the user name and password from aim.ini.
The Trojan gets the path to Total Commander (if installed) from the following registry keys:
[HKCU\Software\Ghisler\Windows Commander]
[HKCU\Software\Ghisler\Total Commander]
[HKLM\Software\Ghisler\Windows Commander]
[HKLM\Software\Ghisler\Total Commander]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Commander] UninstallString
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Commander XP]
UninstallString
[HKCU\SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache] Totalcmd.exe
The Trojan searches this folder, and also %WinDir% for a file called wcx_ftp.ini or ftp.ini where it will search for the following parameters and get their values:
host username password directory method
The Trojan gets the path to the folder from the following registry key:
It searches for a file called Mailbox.ini, searches for the following parameters, and gets their values:
UserID MailAddress MailServer PassWd
The Trojan gets a list of entries in the address book, and passwords to Microsoft Outlook accounts from the following registry key:
The Trojan gets the path to CuteFTP and searches it for the following files:
sm.dat tree.dat smdata.dat
It will harvest the contents of these files.
The Trojan gets the values of the following parameters from %WinDir%\edialer.ini:
LoginSaved PasswordSaved
The Trojan gets a list of keys in [HKCU\Software\Far\Plugins\FTP\Hosts] and gets the values of the following parameters:
HostName User Password Description
The Trojan reads the path to the Opera client (if installed) and searches both its folder, and the path shown below:
for a file called \profile\wand.dat. It harvests the contents of this file.
The Trojan gets the path to Mozilla (if installed) from the system registry, and harvests all files in the Profiles folder.
The Trojan gets the path to QIP (if installed) from the following registry key:
"qip.exe"
It searchs the program folder, the subfolder Users and all folders in the subfolder for Config.ini. It gets the values for:
Password NPass
The Trojan reads the contents of %UserProfile %\ \Application Data\Thunderbird\Profiles.ini and extracts a path to profiles, where it will search for files called signons.txt and prefs.js, and harvest their contents.
The Trojan gets the values of all subkeys of the following registry key:
The Trojan reads the following parameters from %UserProfile%\Application Data\Qualcomm\Eudora\Eudora.ini:
RealName ReturnAddress PopServer LoginName SavePasswordText
The Trojan reads the path to Punto Switcher (if installed) from the following registry key:
and reads the contents of "diary.dat”.
It reads the value of %UserProfile%\Application Data\gaim\accounts.xml
The Trojan harvests the contents of files located in the Firefox profiles.
The Trojan gets the path to the folder with FileZilla (if installed) from the following registry key:
Install_Dir
and harvests the contents of FileZilla.xml.
The Trojan gets the path to the folder with FlashFXP (if installed) and harvests the contents of Sites.dat.
It harvests the contents of the following files:
%WinDir%\Vd3main.dat
It also harvests the contents of the following files:
%UserProfile%\Application Data\SmartFTP\Favorites.dat
%UserProfile%\Application Data\SmartFTP\History.dat
It harvests the following values:
HostName Port Username Password ItemName
from the following registry subkey:
The Trojan reads the value of the following registry key parameter:
USDownloader.exe
and uses it to search for the files listed below:
USDownloader.lst Depositfilesl.txt Megauploadl.txt Rapidsharel.txt
It harvests the contents of these files.
The Trojan reads the value of the following registry key parameter:
rapget.exe
and uses it to search for the files listed below:
rapget.ini links.dat
It harvests the contents of these files.
Harvested data will be saved to c:\rep.bin. The contents of this file will be sent by email to the remote malicious user at x****iii@mail.by. The file will then be deleted.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program.
- Delete the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete %System%\incdrv.sys
- Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).
Trojan-PSW programs are designed to steal user account information such as logins and passwords from infected computers. PSW is an acronym of Password Stealing Ware.
When launched, a PSW Trojan searches system files which store a range of confidential data or the registry. If such data is found, the Trojan sends it to its “master.” Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Some such Trojans also steal registration information for certain software programs.
Trojan-PSW.
- Net-Worm.
MSWord. Lmir. aup (Kaspersky Lab) - Mal/Basine-A (Sophos)
- Mal/Basine-A (Sophos)
- Adware/Lop (Panda)
- Heuristic.
WinPE-Statistical (Panda) - W32/PWStealer.
BIH (FPROT) - W32/LdPinch.
A. gen!Eldorado (FPROT) - PWS:
Win32/Ldpinch. gen (MS(OneCare)) - Trojan:
Win32/AgentBypass. gen!A (MS(OneCare)) - Trojan.
PWS. LDPinch. 1098 (DrWeb) - Trojan.
PWS. LDPinch. 1098 (DrWeb) - Win32/PSW.
LdPinch. AUP trojan (Nod32) - Trojan.
PWS. LdPinch. AUP (BitDef7) - BehavesLike:
Trojan. FirewallBypass (BitDef7) - Win32:
LdPinch-HZ [Trj] (AVAST) - Trojan-Downloader.
Istbar (Ikarus) - Trojan-PWS.
Win32. LdPinch (Ikarus) - PSW.
Ldpinch. BWF (AVG) - TR/Crypt.
XDR. Gen (AVIRA) - TR/Crypt.
XDR. Gen (AVIRA) - Infostealer (NAV)
- Infostealer (NAV)
- Suspicious_Gen2.
DPRHO (Norman) - W32/LdPinch.
ASEI (Norman) - Trojan.
PSW. LdPinch. cpu (Rising) - Trojan-PSW.
Win32. LdPinch. aup [AVP] (FSecure)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.