English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsTrojan-PSW.Win32.LdPinch.bkk

Trojan-PSW.Win32.LdPinch.bkk

Detected Mar 15 2007 13:10 GMT
Released Jun 13 2007 13:31 GMT
Published Mar 15 2007 13:10 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan is designed to steal confidential information (user passwords). It is designed to steal a range of confidential information.

It is a Windows PE EXE file. The file is approximately 49KB in size. t is written in Assembler.

Installation

When launching, the Trojan extracts the following files from its body:

  • %Temp%\Pinch;009.exe — this file is 26,635 bytes in size;
  • %Temp%\drag_and_go_back_spezial.swf — this file is 19,006 bytes in size.

The files will then be launched for execution.

The Trojan also adds the following parameter to the system registry:

[HKLM\System\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"<name of Trojan program>" = "<name of Trojan program>:*:Enabled:"

Payload

The Trojan constantly searches for windows of the following classes: “AVP.AlertDialog”, “AVP.AhAppChangedDialog”, “AVP.AhLearnDialog”. Within these windows it will emulate clicking on the following buttons: "Razreshit [‘Allow' in Russian]”, “Allow”, “Skip”, “Sozdat’ pravilo [‘Create Rule’ in Russian]“, “Apply to all”, “Remember this action”. It will close windows of the class “AVP.Product_Notification”.

The Trojan searches for windows where the title contains the following strings: “Kaspersky Anti-Hacker - Sozdat’ pravilo dlya [Russian version of following string]" or "Kaspersky Anti-Hacker - Create a rule for" and emulates clicking on the following button: "Razreshit' odnokratno [Russian version of following string]“ or “Allow Once”.

The Trojan also emulates clicking on “OK” in windows with the following titles:

Vnimanie: Nekotoryie komponentyi izmenilis’
Warning: Components Have Changed
Skrityi protsess zaprashivaet setevoi dostyp
Hidden Process Requests Network Access

The Trojan harvests information about the hard disk, how much free space remains on the disk, the current user’s account, the network name of the victim machine, the version of the operating syste, the type of processor, screen options, programs installed on the computer, active processes and dial-up connections.

The Trojan searches for the files account.cfg and account.cfn in the following folders:

%Documents and Settings%\<name of current user>\Application Data\BatMail
%Documents and Settings%\<name of current user>\Application Data\The Bat!

It also searches folders indicated in the following registry key parameters for these files: 

[HKCU\Software\RIT\The Bat!]
Working Directory
ProgramDir

It will harvest the contents of these files.

The Trojan gets the path to the Mirabilis ICQ client (if installed), searches for files with a DAT extension and harvests their contents.

The Trojan reads the path to the Miranda client (if installed) from the following registry section: 

[HKLM\Software\Miranda]
Install_Dir

searches it for files with a DAT extension and harvest their contents.

The Trojan also searches the following registry key’s parameters [HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache] for parameters called RQ.exe and RAT.exe. It gets the value for these files (if found) and uses it to search for a file called andrq.in.

If it does not find these files, it gets the value from the following registry key

[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\RQ]
UninstallString

and uses it to search for a file called andrq.ini.

The Trojan gets the path to the file with the Trillian client (if installed) from the following registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]

It reads the contents of users\global\profiles.ini, and extracts information about the current user profile. It also reads the user name and password from aim.ini.

The Trojan gets the path to Total Commander (if installed) from the following registry keys:

[HKCU\Software\Ghisler\Windows Commander]

[HKCU\Software\Ghisler\Total Commander]

[HKLM\Software\Ghisler\Windows Commander]

[HKLM\Software\Ghisler\Total Commander]

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Commander]
UninstallString

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Commander XP]
UninstallString

[HKCU\SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache]
Totalcmd.exe

The Trojan searches this folder, and also %WinDir% for a file called wcx_ftp.ini or ftp.ini, which it will search for the following parameters and get their values:

host
username
password
directory
method

The Trojan searches this folder, and also %WinDir% for a file called wcx_ftp.ini or ftp.ini, which it will search for the following parameters and get their values [HKCU\Software\RimArts\B2\Settings], it searches for a file called Mailbox.ini, searches for the following parameters, and gets their values: 

UserID
MailAddress
MailServer
PassWd

The Trojan gets a list of entries in the address book, and passwords to Microsoft Outlook accounts from the following registry key:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]

The Trojan gets the patch to CuteFTP and CuteFTP Professional (if installed) and searches them for the following files:

sm.dat
tree.dat
smdata.dat

It will harvest the contents of these files.

The Trojan gets the values of the following paramenters from %WinDir%\edialer.ini:

LoginSaved
PasswordSaved

The Trojan gets a list of keys in [HKCU\Software\Far\Plugins\FTP\Hosts] and gets the values of the following parameters: 

HostName
User
Password
Description

The Trojan gets the values of DIR and DEFDIR from "WS_FTP” in %WinDir%\win.ini and uses the values to search for a file called ws_ftp.ini. It reads the values of the following parameters from this file:

HOST
UID
PWD

The Trojan reads the path to the Opera client (if installed) and searches both its folder, and the patch shown below:

%Documents and Settings%\<name of current user>\Application Data\Opera

for a file called \profile\wand.dat. It harvests the contents of this file.

The Trojan gets the path to Mozilla (if installed) from the system registry, and harvests all files in the Profiles folder.

The Trojan gets the path to QIP (if installed) from the following registry key:

[HKCU\Software\Microsoft\Windows\ShellNoRoam]
"qip.exe"

It searchs the program folder, the subfolder Users and all folders in the subfolder for Config.ini. It gets the values for:

Password
NPass

The Trojan reads the contents of %Documents and Settings%\<user name>\Application Data\Thunderbird\Profiles.ini and extracts a path to profiles, where it will search for files called signons.txt and prefs.js, and harvest their contents.

The Trojan gets the values of all subkeys of the following registry key:

[HKCU\Software\Mail.Ru\Agent\mra_logins]

The Trojan reads the following parameters from %Documents and Settings%\<user name>\Application Data\Qualcomm\Eudora\Eudora.ini:

RealName
ReturnAddress
PopServer
LoginName
SavePasswordText

The Trojan reads the path to Punto Switcher (if installed) from the following registry key:

[HKCU\Software\Punto Switcher]

and reads the contents of "diary.dat”.

It reads the value of %Documents and Settings%\<name of current user>\Application Data\gaim\accounts.xml.

The Trojan harvests the contents of files located in the Firefox profiles.

The Trojan gets the path to the folder with FileZilla (if installed) from the following registry key:

[HKCU\Software\FileZilla]
Install_Dir

And harvests the contents of FileZilla.xml and sitemanager.xml.

The Trojan gets the path to the folder with FlashFXP (if installed) and harvests the contents of Sites.dat.

It harvests the contents of the following files:

%WinDir%\VD3User.dat
%WinDir%\Vd3main.dat

It also harvests the contents of the following files:

%Documents and Settings%\<name of current user>\Application Data\SmartFTP\Client 2.0\Favorites\ Favorites.dat

%Documents and Settings%\<name of current user>\Application Data\SmartFTP\Favorites.dat

%Documents and Settings%\<name of current user>\Application Data\SmartFTP\History.dat

It harvests the following values:

HostName
Port
Username
Password
ItemName

from the following registry subkey:

[HKCU\Software\CoffeeCup Software\Internet\Profiles]

The Trojan reads the value of the following registry key parameter:

[HKCU\Software\Microsoft\Windows\ShellNoRoam]
USDownloader.exe

and uses it to search for the files listed below:

USDownloader.lst
Depositfilesl.txt
Megauploadl.txt
Rapidsharel.txt

It harvests the contents of these files.

The Trojan reads the value of the following registry key parameter:

[HKCU\Software\Microsoft\Windows\ShellNoRoam]
rapget.exe

and uses it to search for the files listed below: 

rapget.ini
links.dat

It harvests the contents of these files.

The Trojan searches %Documents and Settings%\<user name>\My Documents for files with an .rdp extension and harvests their contents.

The Trojan sends all the data harvested to ****n@timeparty.org, the remote malicious user's email.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the Trojan process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following files: 
    %Temp%\Pinch;009.exe
%Temp%\drag_and_go_back_spezial.swf
  4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Trojan-PSW

Trojan-PSW programs are designed to steal user account information such as logins and passwords from infected computers. PSW is an acronym of Password Stealing Ware.

When launched, a PSW Trojan searches system files which store a range of confidential data or the registry. If such data is found, the Trojan sends it to its “master.” Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.

Some such Trojans also steal registration information for certain software programs.


Other versions
Trojan-PSW.Win32.LdPinch.a
Trojan-PSW.Win32.LdPinch.abm
Trojan-PSW.Win32.LdPinch.akv
Trojan-PSW.Win32.LdPinch.ato
Trojan-PSW.Win32.LdPinch.aup
Trojan-PSW.Win32.LdPinch.awp
Trojan-PSW.Win32.LdPinch.azw
Trojan-PSW.Win32.LdPinch.bik
Trojan-PSW.Win32.LdPinch.bok
Trojan-PSW.Win32.LdPinch.byc
Trojan-PSW.Win32.LdPinch.rn
Trojan-PSW.Win32.LdPinch.ur
Trojan-PSW.Win32.LdPinch.zm

Aliases

Trojan-PSW.Win32.LdPinch.bkk (Kaspersky Lab) is also known as:

  • Trojan: Generic PWS.y (McAfee)
  • Mal/Krap-K (Sophos)
  • Trojan.Packed-70 (ClamAV)
  • Malicious Packer (Panda)
  • W32/PWStealer.JKW (FPROT)
  • PWS:Win32/Ldpinch (MS(OneCare))
  • Trojan.PWS.LDPinch.1526 (DrWeb)
  • Win32/PSW.LdPinch.NDD trojan (Nod32)
  • Trojan.Pws.Ldpinch.BKK (BitDef7)
  • Rootkit.LDPinch.Gen.4 (VirusBuster)
  • Win32:LdPinch-ACW [Trj] (AVAST)
  • Trojan-PWS.Win32.LdPinch (Ikarus)
  • PSW.Ldpinch.FFI (AVG)
  • TR/Crypt.XPACK.Gen (AVIRA)
  • Infostealer (NAV)
  • Suspicious_M.gen (Norman)
  • Generic PWS.y (NAI)
  • Trojan.PSW.Win32.LdPinch.bkk (Rising)
  • Trojan-PSW.Win32.LdPinch.bkk [AVP] (FSecure)
  • Mal_Pai-4 (TrendMicro)
  • Trojan-PSW.Win32.LdPinch.syo (Sunbelt)
  • Rootkit.LDPinch.Gen.4 (VirusBusterBeta)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search