Content

PWS-LDPinch

Type
Trojan
SubType
Password
Discovery Date
08/09/2003
Length
various
Minimum DAT
4288 (08/20/2003)
Updated DAT
5439 (11/19/2008)
Minimum Engine
5.1.00
Description Added
08/09/2003
Description Modified
05/13/2008 11:28 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update May 13, 2008 --

Upon execution, some new variants of this trojan attempt to connect with the following server(s) to post stolen data:

  • ya.ru
  • www.a.totar.cn
  • www.a.bigfoxteam.cn

-- Update September 4, 2007 --
Some new variants of this trojan will use web form to send the email with the information to the author on a @yahoo.com email address.


-- Update July 25, 2007 --
Recently, a PWS-LDPinch toolkit was found commercially circulating in the Internet allowing an attacker to create custom copies of this trojan. More information on this trojan toolkit can be found at PWS-LDPinch.cfg.

-- Update April 16, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://tech.monstersandcritics.com/news/article_1291852.php/TeamSpeak_server_hijacked_to_send_Malware

A new variant was spreading by email using the following Subject:

Subject: New Team Speak Patch [Link Inside]
Now you can download new Team Speak patch. It will help you to use our Team Speak servers.
We advise you to download it now h__p://www.goteamspeak.com/downloads/patch.exe

______________________________________________________________________________________
Please note that the site is no longer serving this threat.

This is a password stealing trojan designed to email the encoded local passwords to the trojan author. There are several variants of this trojan, so this description is meant as a general guide. Newer variants may require a later DAT set for detection and removal.

When the dropper is executed it drops the password stealer in the Windows directory and some variants create a text file in the Windows Temp directory as 1.txt.
It then add the following registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "putil"="c:\WINDOWS\1.EXE"
    (the specific filename may vary)
The text file is displayed with the default text viewer. A copy can be seen below.

Gift Message:
-------------
Shop 'til you drop.
-------------

Gift Certificate Codes (Order No. signalcom-123):
-------------------------------------------------
The following gift certificates are $40.00 each
@92HSUSUTON5LH417GC
@HY8M8KPFXPC2TZG5GC

-------------------------------------------------

To use your gift certificates at Signal Computer Consultants Railroad Software & AEI Products, visit http://www.softrail.com, and add items you want to buy to your shopping cart. At checkout time, simply enter your gift certificate codes in the appropriate box. Make sure that you enter the complete code, starting with the "@" sign.

If you've received more than one gift certificate for Signal Computer Consultants Railroad Software & AEI Products, you can enter all the codes separated by commas. If the amount of the gift certificate covers the cost of your order, you don't need to enter your credit card information. However, if the gift certificate amount doesn't cover your entire order, you will be required to pay the remaining balance by credit card.

For more information about using electronic gift certificates at Signal Computer Consultants Railroad Software & AEI Products, please visit the help page at:

http://help.yahoo.com/help/us/store/store-21.html.

Happy shopping!



After that, the password stealer contacts an SMTP server hard-coded within the file and mails the encoded passwords found on the system to an email address in Russia.  For example: 

From: jery2005@list.ru
To: jery2005@list.ru
Subject: Password from [sysinfo]
[encoded password]

Symptoms

-- Update September 4, 2007 --
Some new variants of this trojan will connect to lightsell.com and use a web form to send the email to the author.

Update: 04/16/2007

New variants will try to send info though smtp.mail.ru mail server


The following files are added:
c:\documents and settings\%USER%\local settings\temp\pinch3.exe
c:\documents and settings\%USER%\local settings\temp\all-out-.jpg

Also, as noticed on previous variants:
  • Presence of the files and registry entries detailed above.
  • Unexpected SMTP traffic

Method of Infection

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • PWS-Dimon
  • PWS-Pulit
  • PWS-Putil
  • PWS-Train
  • Troj/PWS-AE (Sophos)
  • TROJ_TRAIN (Trend)
  • Trojan.PSW.LdPinch (AVP)
  • Uploader-I

Characteristics

Characteristics -

-- Update May 13, 2008 --

Upon execution, some new variants of this trojan attempt to connect with the following server(s) to post stolen data:

  • ya.ru
  • www.a.totar.cn
  • www.a.bigfoxteam.cn

-- Update September 4, 2007 --
Some new variants of this trojan will use web form to send the email with the information to the author on a @yahoo.com email address.


-- Update July 25, 2007 --
Recently, a PWS-LDPinch toolkit was found commercially circulating in the Internet allowing an attacker to create custom copies of this trojan. More information on this trojan toolkit can be found at PWS-LDPinch.cfg.

-- Update April 16, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://tech.monstersandcritics.com/news/article_1291852.php/TeamSpeak_server_hijacked_to_send_Malware

A new variant was spreading by email using the following Subject:

Subject: New Team Speak Patch [Link Inside]
Now you can download new Team Speak patch. It will help you to use our Team Speak servers.
We advise you to download it now h__p://www.goteamspeak.com/downloads/patch.exe

______________________________________________________________________________________
Please note that the site is no longer serving this threat.

This is a password stealing trojan designed to email the encoded local passwords to the trojan author. There are several variants of this trojan, so this description is meant as a general guide. Newer variants may require a later DAT set for detection and removal.

When the dropper is executed it drops the password stealer in the Windows directory and some variants create a text file in the Windows Temp directory as 1.txt.
It then add the following registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "putil"="c:\WINDOWS\1.EXE"
    (the specific filename may vary)
The text file is displayed with the default text viewer. A copy can be seen below.

Gift Message:
-------------
Shop 'til you drop.
-------------

Gift Certificate Codes (Order No. signalcom-123):
-------------------------------------------------
The following gift certificates are $40.00 each
@92HSUSUTON5LH417GC
@HY8M8KPFXPC2TZG5GC

-------------------------------------------------

To use your gift certificates at Signal Computer Consultants Railroad Software & AEI Products, visit http://www.softrail.com, and add items you want to buy to your shopping cart. At checkout time, simply enter your gift certificate codes in the appropriate box. Make sure that you enter the complete code, starting with the "@" sign.

If you've received more than one gift certificate for Signal Computer Consultants Railroad Software & AEI Products, you can enter all the codes separated by commas. If the amount of the gift certificate covers the cost of your order, you don't need to enter your credit card information. However, if the gift certificate amount doesn't cover your entire order, you will be required to pay the remaining balance by credit card.

For more information about using electronic gift certificates at Signal Computer Consultants Railroad Software & AEI Products, please visit the help page at:

http://help.yahoo.com/help/us/store/store-21.html.

Happy shopping!



After that, the password stealer contacts an SMTP server hard-coded within the file and mails the encoded passwords found on the system to an email address in Russia.  For example: 

From: jery2005@list.ru
To: jery2005@list.ru
Subject: Password from [sysinfo]
[encoded password]

Symptoms

Symptoms -

-- Update September 4, 2007 --
Some new variants of this trojan will connect to lightsell.com and use a web form to send the email to the author.

Update: 04/16/2007

New variants will try to send info though smtp.mail.ru mail server


The following files are added:
c:\documents and settings\%USER%\local settings\temp\pinch3.exe
c:\documents and settings\%USER%\local settings\temp\all-out-.jpg

Also, as noticed on previous variants:
  • Presence of the files and registry entries detailed above.
  • Unexpected SMTP traffic

Method of Infection

Method of Infection -

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A