Win32/PSW.LdPinch [Threat Name] go to Threat

Win32/PSW.LdPinch.NCB [Threat Variant Name]

Category trojan
Size 50688 B
Detection created Sep 23, 2006
Detection database version 10313
Aliases Trojan-PSW.Win32.LdPinch.rrh (Kaspersky)
  PWS:Win32/Ldpinch.gen (Microsoft)
  PWS-LDPinch (McAfee)
Short description

Win32/PSW.LdPinch.NCB is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.

Installation

The trojan does not create any copies of itself.


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%filename%" = "%filename%:*:Enabled:Enabled"

The performed data entry creates an exception in the Windows Firewall program.

Information stealing

Win32/PSW.LdPinch.NCB is a trojan that steals passwords and other sensitive information.


The trojan collects information related to the following applications:

  • The Bat!
  • ICQ
  • &RQ
  • Miranda IM
  • Trillian IM
  • RASDIAL
  • Total Commander
  • Becky! Internet Mail
  • Internet Explorer
  • Microsoft Outlook
  • CuteFTP
  • E-Dialer
  • Far
  • WS_FTP
  • Opera
  • Mozilla Firefox
  • QIP
  • Mozilla Thunderbird
  • Mail.Ru
  • Eudora
  • Punto Switcher
  • Gaim
  • FileZilla
  • FlashFXP
  • Windows Live Messenger
  • VDialer
  • SmartFTP
  • CoffeeCup
  • RapGet
  • Rapidshare Instant Downloader
  • Universal Share Downloader
  • Windows Remote Desktop

The trojan collects the following information:

  • operating system version
  • user name
  • computer name
  • list of disk devices and their type
  • list of running processes
  • current screen resolution
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • CPU information
  • memory status
  • list of computer users

The trojan can send the information to a remote machine.


The trojan contains a list of (1) URLs.


The HTTP protocol is used.

Other information

The trojan may create the following files:

  • %system%\­%variable1%.sys (1856 B)
  • C:\­sourcefile.dat

The trojan may install the following system drivers (path, name):

  • %system%\­%variable1%.sys, %variable2%

A string with variable content is used instead of %variable1-2% .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­MirM]
    • "Dat" = "%variable%"

A string with variable content is used instead of %variable% .


The trojan interferes with the operation of some security applications to avoid detection.

Please enable Javascript to ensure correct displaying of this content and refresh this page.