Content

PWS-LDPinch.dr!4f8fa1f

Type
Trojan
SubType
Password
Discovery Date
12/06/2006
Length
839,830 bytes
Minimum DAT
4913 (12/07/2006)
Updated DAT
5609 (05/08/2009)
Minimum Engine
5.1.00
Description Added
12/06/2006
Description Modified
12/06/2006 8:01 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This is a password stealing trojan designed to send the local passwords to the trojan author.

The trojan is delivered in the following filename.

  • Windows Vista All Versions Activation 21.11.06.exe (839,830 bytes) (detected as PWS-LDPinch.dr!4f8fa1f  since DAT 4913)

Upon execution, the following files are dropped.

  • %WINDIR%\csrss.exe ( 33760 bytes ) detected as PWS-LDPinch!6e51bf02
     since DAT 4913
  • C:\Documents and Settings\%USER%\Local Settings\Temp\smss.exe  ( 33760 bytes ) detected as PWS-LDPinch!6e51bf02
     since DAT 4913
  • C:\Documents and Settings\%USER%\Local Settings\Temp\vista.exe innocent file
  • C:\Documents and Settings\%USER%\Local Settings\Temp\tokens.dat
  • C:\Documents and Settings\%USER%\Local Settings\Temp\pkeyconfig.xrm-ms
  • C:\Documents and Settings\%USER%\LocalSettings\Temp\windows.vista.rtm.activation.crack-ind.txt

The following registries entries are added.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    "system" = "%WINDIR%\csrss.exe"


The trojan attempts to gather the following information.

  • SMTP Email address
  • POP3 Server, UserName, Password
  • IMAP Server, UserName, Password

It also gathers the password from the following applications.

  • B2
  • CuteFTP
  • Eudra
  • Far
  • FileZilla
  • Firefox
  • Gaim
  • Ghisler
  • ICQ
  • Miranda IM
  • Mozilla
  • Opera
  • Punto Switcher
  • SmartFTP
  • The Bat
  • Thunderbirds
  • Trillilan

The trojan opens the following port to let the trojan authors to download information.

csrss.exe port:21 (ftp server)

Also opens two random ports for the following services.

- socks5 proxy server
- remote shell

The trojan sends the port numbers and ftp accounts to the remote site.

http://muafk.com/[Removed]

Symptoms

  • Presence of the files and registry entries detailed above
  • Unexpected tcp traffic

Method of Infection

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update December 6, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2006/12/06/windows_vista_trojan/

--

This is a password stealing trojan designed to send the local passwords to the trojan author.

Aliases

  • Infostealer.Ldpinch (Symantec)
  • Trojan-PSW.Win32.LdPinch.aze ( Kaspersky )
  • TSPY_LDPINCH.KI (Trend Micro)

Characteristics

Characteristics -

This is a password stealing trojan designed to send the local passwords to the trojan author.

The trojan is delivered in the following filename.

  • Windows Vista All Versions Activation 21.11.06.exe (839,830 bytes) (detected as PWS-LDPinch.dr!4f8fa1f  since DAT 4913)

Upon execution, the following files are dropped.

  • %WINDIR%\csrss.exe ( 33760 bytes ) detected as PWS-LDPinch!6e51bf02
     since DAT 4913
  • C:\Documents and Settings\%USER%\Local Settings\Temp\smss.exe  ( 33760 bytes ) detected as PWS-LDPinch!6e51bf02
     since DAT 4913
  • C:\Documents and Settings\%USER%\Local Settings\Temp\vista.exe innocent file
  • C:\Documents and Settings\%USER%\Local Settings\Temp\tokens.dat
  • C:\Documents and Settings\%USER%\Local Settings\Temp\pkeyconfig.xrm-ms
  • C:\Documents and Settings\%USER%\LocalSettings\Temp\windows.vista.rtm.activation.crack-ind.txt

The following registries entries are added.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    "system" = "%WINDIR%\csrss.exe"


The trojan attempts to gather the following information.

  • SMTP Email address
  • POP3 Server, UserName, Password
  • IMAP Server, UserName, Password

It also gathers the password from the following applications.

  • B2
  • CuteFTP
  • Eudra
  • Far
  • FileZilla
  • Firefox
  • Gaim
  • Ghisler
  • ICQ
  • Miranda IM
  • Mozilla
  • Opera
  • Punto Switcher
  • SmartFTP
  • The Bat
  • Thunderbirds
  • Trillilan

The trojan opens the following port to let the trojan authors to download information.

csrss.exe port:21 (ftp server)

Also opens two random ports for the following services.

- socks5 proxy server
- remote shell

The trojan sends the port numbers and ftp accounts to the remote site.

http://muafk.com/[Removed]

Symptoms

Symptoms -

  • Presence of the files and registry entries detailed above
  • Unexpected tcp traffic

Method of Infection

Method of Infection -

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A