Content
PWS-LDPinch.cfg
- Type
- Trojan
- SubType
- Configurator
- Discovery Date
- 07/24/2007
- Length
- Minimum DAT
- 5082 (07/25/2007)
- Updated DAT
- 5162 (11/13/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 07/24/2007
- Description Modified
- 12/11/2007 12:43 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
< -- Update December 11, 2007 --The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/new_malware_defeats_sitekey_te.html?nav=rss_blog
---
Server Editior Component:
The server editor component is used by the attacker to create the server component, which is then sent to the victim.
See screen shots below:
From the screenshots above, it is evident that the trojan editor component apart from creating the trojan, is also used to
modify the following settings:
- Enable stealing instant messenger passwords (MSN, AIM, Trillian, ICQ)
- Choose from a range of other passwords to steal ( Mozilla, FAR, Outlook etc)
- Encrypt/Pack the Trojan executable with FSG, MEW or UPX packer to evade detection
by Antivirus software and prevent debugging the server - Choose from a range of notification methods about stolen passwords (HTTP, FTP)
- Configure the SMTP and HTTP settings in case these are used to obtain the passwords
- Enable a Backdoor on the infected machine, so the attacker can himself steal the passwords at a later point of time
- Kill security related processes running on the machine
- Change the icon of the server created, to make it look legitimate
- Choose from a range of startup methods (Registry run, Run as service etc)
- Add sites to Internet Explorer “Favourites” and “Trusted Sites”
While the above mentioned features were already noticed in the earlier versions of this trojan editor, the following features
seem to have been added recently:
- Worm Component – The attacker can enable this feature which would let the trojan spread to other machines, like
worms - IRC Bot Component – If enabled and configured, the trojan can connect to a pre-defined bot network from where
the attacker can remotely control the infected machine
Once the victim's machine is infected with the malicious file, the trojan then begins to log all information chosen by the attacker to a log file. This could include as mentioned earlier, instant messenger passwords, banking passwords etc.
Log Parser Component:
To prevent the victim or anyone else who may stumble upon this log file [which contains the stolen information] from reading the contents, the attacker encrypts this file. The attacker is then able to remotely connect to the victim's machine and download these log files to his own machine, or have these log files uploaded to his machine automatically by the trojan.
The attacker then uses a log file parser program which is not just capable of decrypting the contents for the author, but also enables an easy visualization of the stolen contents evident from the screenshot below:
Symptoms
Other than the presence of the above mentioned file, there are no visible symptoms for the existence of this server editor component on the machine.Method of Infection
N/ARemoval
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
-- Update December 11, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/new_malware_defeats_sitekey_te.html?nav=rss_blog
---
This description is for the server configurator component of the PWS-LDPinch trojan. Malware configurators are used by the attacker to create a malicious file, which is then sent to the victim. The intent behind this is to infect the victim's machine with the malicious file which in turn gives the attacker, complete control over the victim's machine.
The characteristics of this trojan configurator with regards to the file names etc will differ, from one version to another. Hence, this is a general description.
Aliases
- Hack.LdPinch.o [Rising]
- KIT/LdPinch.bjx [Avira AntiVir]
- PWS:Win32/Ldpinch [Microsoft]
- Troj/LdPinch-PP [Sophos]
- VirTool.Win32.LdPinch.o [Ikarus]
- VirTool.Win32.LdPinch.o [Kaspersky]
- VirTool.Win32.LdPinch.o [Kaspersky]
- W32/VirTool.ABM [Frisk]
Characteristics
Characteristics -
< -- Update December 11, 2007 --The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/new_malware_defeats_sitekey_te.html?nav=rss_blog
---
Server Editior Component:
The server editor component is used by the attacker to create the server component, which is then sent to the victim.
See screen shots below:
From the screenshots above, it is evident that the trojan editor component apart from creating the trojan, is also used to
modify the following settings:
- Enable stealing instant messenger passwords (MSN, AIM, Trillian, ICQ)
- Choose from a range of other passwords to steal ( Mozilla, FAR, Outlook etc)
- Encrypt/Pack the Trojan executable with FSG, MEW or UPX packer to evade detection
by Antivirus software and prevent debugging the server - Choose from a range of notification methods about stolen passwords (HTTP, FTP)
- Configure the SMTP and HTTP settings in case these are used to obtain the passwords
- Enable a Backdoor on the infected machine, so the attacker can himself steal the passwords at a later point of time
- Kill security related processes running on the machine
- Change the icon of the server created, to make it look legitimate
- Choose from a range of startup methods (Registry run, Run as service etc)
- Add sites to Internet Explorer “Favourites” and “Trusted Sites”
While the above mentioned features were already noticed in the earlier versions of this trojan editor, the following features
seem to have been added recently:
- Worm Component – The attacker can enable this feature which would let the trojan spread to other machines, like
worms - IRC Bot Component – If enabled and configured, the trojan can connect to a pre-defined bot network from where
the attacker can remotely control the infected machine
Once the victim's machine is infected with the malicious file, the trojan then begins to log all information chosen by the attacker to a log file. This could include as mentioned earlier, instant messenger passwords, banking passwords etc.
Log Parser Component:
To prevent the victim or anyone else who may stumble upon this log file [which contains the stolen information] from reading the contents, the attacker encrypts this file. The attacker is then able to remotely connect to the victim's machine and download these log files to his own machine, or have these log files uploaded to his machine automatically by the trojan.
The attacker then uses a log file parser program which is not just capable of decrypting the contents for the author, but also enables an easy visualization of the stolen contents evident from the screenshot below:
Symptoms
Symptoms -
Other than the presence of the above mentioned file, there are no visible symptoms for the existence of this server editor component on the machine.Method of Infection
Method of Infection -
N/ARemoval -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
