Trojan-PSW.Win32.LdPinch.awp

Technical Details
Payload
Removal instructions

Technical Details

This Trojan steals confidential data. The program itself is a Windows PE EXE file. It is written in Assembler. It is 23,552 bytes in size. It is packed using UPX. The unpacked file is approximately 220KB in size.

Payload

When launching, the Trojan decrypts its body to memory, and then:

• Searches the system for Kaspersky Anti-Virus and firewall warnings. It will then create a rule to allow the Trojan activity by simulating a click on buttons within dialogue Windows.
• Collects data about the operating system version, system time, system folders, screen options, presence of an address book, accessible memory, account details of the current user, victim machine's network ID, and serial number of the hard disk. Also gets data about logical disks present on the system, their type and amount of free space, as well as a list of current processes.
• Harvests data from the configuration files of the following programs:
  • The Bat!
  • Mirabilis ICQ
  • Miranda
  • Trillian
  • Total Commander
  • Microsoft Outlook
  • CuteFTP
  • FAR
  • Opera
  • Mozilla Firefox
  • QIP
  • MailRu agent
  • Qualcomm Eudora
  • Punto Switcher
  • Gaim
  • Mozilla Firefox
  • FileZilla
  • FlashFXP
  • Passport.Net
  • &RQ

The Trojan sends harvest data in the form of a HTML request to ricoger.com:

http://ricoger.com/p1/****.php

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).