Trojan.PSW.LdPinch.ht

Classification

Category :

Malware

Type :

Trojan

Aliases :

Trojan.PSW.LdPinch.ht, Trojan-PSW.Win32.LdPinch.ht, Backdoor.Damrai.A, Damrai.A, Trojan-PSW.Win32.PdPinch.e

Summary

We have renamed Damrai.A to LdPinch.ht as the trojan also has password stealing capabilities.

LdPinch.ht is a password stealing trojan with backdoor and proxy capabilities that was found on December 15th, 2004. It was spammed widely in Germany in a message that contained an attachment, "telekom-rechnung.chm". This attachment contains two files: a small HTML file that attempts to execute the other file, "open.exe", using a vulnerability in Internet Explorer. The "open.exe" file contans the actual trojan.

More details about the vulnerability is available from Microsoft:

http://www.microsoft.com/technet/security/bulletin/MS02-015.mspx

Removal

Based on the settings of your F-Secure security program, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Installation to system

When the open.exe file is started it first disables 2 services belonging to an anti-virus and a firewall:

kavsvc
 outpostfirewall

Then the trojan starts several threads. One of the threads monitors and kills processes if their names contain any of the following substrings:

outpost.exe
 VSMON.exe
 ZAPRO.exe
 APVDWIN.exe
 PAVSRV51.exe
 NOD32KUI.exe
 avpcc.exe
 defwatch.exe

To the Windows Explorer and Internet Explorer 'Favourites' menu the trojan adds shortcuts to the following websites:

xakepy.ru
 carotid.ru

Additionally the trojan adds itself to the authorised applications list for Windows firewall. As a result of this modifiction, Windows allows the trojan to access Internet and does not inform a user that a third-party application asks for Internet Access.

Finally the trojan copies itself to Windows folder as 'csrss.exe' file, runs that file and terminates its own process. The trojan also drops a small DLL file with the name 'syslg.dll' to Windows folder. It registers this DLL as a shell service object with a unique CLASSID and as a result, this DLL is loaded every time Windows starts. The DLL works as a starter for the main trojan's file.

Ftp, Proxy and Backdoor

Being active, the trojan starts an ftp server on TCP port 2121. The server requires a user and a password. When correct user and password is supplied the server gives access to all drives on an infected computer.

The trojan also starts a proxy server on TCP port 2355. This proxy can be used by spammers and the internal name of the trojan 'Spam Pinch 2 DE' suggests that it was primarily created for that purpose.

One more important feature of the trojan is to start a backdoor on TCP port 2050. When connected to this port, a remote user gets a command shell to an infected computer.

The trojan notifies its author from infected computers by accessing a webnomey.net website with a specially constructed URL, that contains a computer's IP address, proxy port, ftp port and backdoor shell port.

Stealing Data

The trojan reads settings of different applications and steals web, ftp and e-mail server addresses, logins and passwords. The following applications are affected:

ICQ
 Miranda ICQ
 &RQ
 The Bat!
 Becky
 CuteFTP
 Edialer
 Far Manager
 Mozilla
 Opera
 Internet Explorer
 Outlook
 Outlook Express
 Trillian
 WS_FTP
 Total Commander

The trojan also steals RAS (dialup) phone numbers, logins and passwords and collects system information about an infectected computer.