Threat Descriptions

Trojan.PSW.LdPinch.ht

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan.PSW.LdPinch.ht, Trojan-PSW.Win32.LdPinch.ht, Backdoor.Damrai.A, Damrai.A, Trojan-PSW.Win32.PdPinch.e

Summary

We have renamed Damrai.A to LdPinch.ht as the trojan also has password stealing capabilities.

LdPinch.ht is a password stealing trojan with backdoor and proxy capabilities that was found on December 15th, 2004. It was spammed widely in Germany in a message that contained an attachment, "telekom-rechnung.chm". This attachment contains two files: a small HTML file that attempts to execute the other file, "open.exe", using a vulnerability in Internet Explorer. The "open.exe" file contans the actual trojan.

More details about the vulnerability is available from Microsoft:

http://www.microsoft.com/technet/security/bulletin/MS02-015.mspx

Removal

Based on the settings of your F-Secure security program, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Installation to system

When the open.exe file is started it first disables 2 services belonging to an anti-virus and a firewall: 

kavsvc
 outpostfirewall

Then the trojan starts several threads. One of the threads monitors and kills processes if their names contain any of the following substrings: 

outpost.exe
 VSMON.exe
 ZAPRO.exe
 APVDWIN.exe
 PAVSRV51.exe
 NOD32KUI.exe
 avpcc.exe
 defwatch.exe

To the Windows Explorer and Internet Explorer 'Favourites' menu the trojan adds shortcuts to the following websites: 

xakepy.ru
 carotid.ru

Additionally the trojan adds itself to the authorised applications list for Windows firewall. As a result of this modifiction, Windows allows the trojan to access Internet and does not inform a user that a third-party application asks for Internet Access.

Finally the trojan copies itself to Windows folder as 'csrss.exe' file, runs that file and terminates its own process. The trojan also drops a small DLL file with the name 'syslg.dll' to Windows folder. It registers this DLL as a shell service object with a unique CLASSID and as a result, this DLL is loaded every time Windows starts. The DLL works as a starter for the main trojan's file.

Ftp, Proxy and Backdoor

Being active, the trojan starts an ftp server on TCP port 2121. The server requires a user and a password. When correct user and password is supplied the server gives access to all drives on an infected computer.

The trojan also starts a proxy server on TCP port 2355. This proxy can be used by spammers and the internal name of the trojan 'Spam Pinch 2 DE' suggests that it was primarily created for that purpose.

One more important feature of the trojan is to start a backdoor on TCP port 2050. When connected to this port, a remote user gets a command shell to an infected computer.

The trojan notifies its author from infected computers by accessing a webnomey.net website with a specially constructed URL, that contains a computer's IP address, proxy port, ftp port and backdoor shell port.

Stealing Data

The trojan reads settings of different applications and steals web, ftp and e-mail server addresses, logins and passwords. The following applications are affected: 

ICQ
 Miranda ICQ
 &RQ
 The Bat!
 Becky
 CuteFTP
 Edialer
 Far Manager
 Mozilla
 Opera
 Internet Explorer
 Outlook
 Outlook Express
 Trillian
 WS_FTP
 Total Commander

The trojan also steals RAS (dialup) phone numbers, logins and passwords and collects system information about an infectected computer.

Protect your devices from malware with F‑Secure Total

Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.

  • Award-winning antivirus and malware protection
  • Online browsing, banking, and shopping protection
  • 24/7 online identity and data breach monitoring
  • Unlimited VPN service to safe­guard your privacy
  • Password manager with private data protection
Try Total 30 days for free Read more about Total
More Support

Community

Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.