Trojan-PSW:W32/LdPinch

Classification

Category :

Malware

Type :

Trojan-PSW

Summary

Trojan-PSW:W32/LdPinch is family of trojans whose main purpose is to steal passwords for a wide array of programs from an infected computer. Some variants also include other functionality such as backdoor capabilities.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

LdPinch steals passwords for several programs. Exact targets vary from variant to variant. The following is a list of possible targets:

  • &RQ
  • Becky Internet Mail
  • CoffeeCup FTP
  • Cute FTP
  • E-Dialer
  • Eudora
  • Far Manager
  • FileZilla
  • FlashFXP
  • Gaim
  • ICQ
  • Miranda
  • Mozilla
  • Opera
  • Outlook Express
  • QIP
  • RapGet
  • SmartFTP
  • The Bat!
  • Total Commander
  • Trillian
  • Punto Switcher
  • USDownloader
  • Windows Commander

Other information targeted by LdPinch variants are the content of Windows Protected Storage, RAS information, and general system information such as username, host name, IP address and hardware information. Some variants also include a keylogger and are able to take screenshots of the victim's desktop.The information is usually encrypted and then sent to the attacker either by uploading to a remote server or through email using an SMTP engine contained within the trojan. The stolen information can also be left as a file on the victim's computer to be retrieved later through backdoor functionality included in some variants.The backdoor can be a remote command shell or an FTP server created by the trojan. Another backdoor method used in LdPinch variants is the creation of an IRC-bot. Bot-commands enable the trojan to, for example, download additional files, scan IP ranges for certain open ports, restart or remove itself, show active threads, or create a remote command shell.Some variants spread by sending themselves as email attachments to addresses harvested from the infected computer. The attacker can specify strings that will cause the address to not be used if found in the address.Other functionality can include a proxy-server, the ability to download an additional executable, or the ability for the trojan to update itself by downloading a new version from the Internet. Internet Explorer can be modified by adding items to the favorites list, changing the start or search page ,or adding URLs to the list of trusted sites.An LdPinch trojan often copies itself to another location when it is run on a computer for the first time. Typical destination folders are the computer's Windows folder or the System32 sub-folder. The system registry is then edited to ensure the trojan is executed on startup.Typically the registry entry is added to the following location:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

Another method is utilizing an additional DLL file, which is loaded via a registry entry and starts the actual trojan executable. Some variants are started as services through the registry. Due to the one-time nature of password theft, variants that have no backdoor functionality don't necessarily copy themselves anywhere on the infected computer and just delete themselves as soon as they have sent the stolen information back to the attacker.LdPinch trojans can kill services and programs enabling better protection for themselves from detection and deletion. Their targets for termination are different firewall and anti-virus programs. To bypass the Windows XP firewall, LdPinch can add itself to the list of authorized applications.It should be noted that although the possible set of functionality in LdPinch trojans is very large, a typical variant is only a password-stealer.