Trojan-PSW.Win32.LdPinch.a

Technical Details

This family of Trojans steals user passwords.

When launching, the Trojan writes the following value to the system registry.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    putil = %windir%\%file name%

This ensures that the Trojan will be run every time the system is started.

It then copies itself to the Windows folder, and launches itself from there, deleting the original file.

The Trojan harvests information about the system (operating system, configuration etc.) and passwords for a range of services and applications, including RAS, POP3, IMAP, ICQ, FTP etc.

The information collected is encoded using MIME (Base64) and sent to the Trojan's author by email, using an SMTP server with an IP address which is coded in the Trojan's body.

Summary

• Implements network activity

• Performs potentially dangerous activity

Technical details

File size of 8624 bytes.

Installation

Makes copies of itself with the following names once launched:

• Windows directory (usually, C:\Windows)%Windir%\<­file of source program ­>

Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "putil" = " Windows directory (usually, C:\Windows)%Windir%\<­file of source program ­>"

Malicious activity

Connects to to the following Internet addresses:

• ***.67.23.10:6400

Checks for Dial-Up connections on the infected computer

Other activities

Runs the following files (commands):

• Windows directory (usually, C:\Windows)%Windir%\<­file of source program ­>