Threat Description


Aliases:, Backdoor.Damrai.A, Damrai.A, Trojan-PSW.Win32.PdPinch.e
Category: Malware
Type: Worm
Platform: W32


We have renamed Damrai.A to as the trojan also has password stealing capabilities. is a password stealing trojan with backdoor and proxy capabilities that was found on December 15th, 2004. It was spammed widely in Germany in a message that contained an attachment, "telekom-rechnung.chm". This attachment contains two files: a small HTML file that attempts to execute the other file, "open.exe", using a vulnerability in Internet Explorer. The "open.exe" file contans the actual trojan.

More details about the vulnerability is available from Microsoft:


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

Installation to system

When the open.exe file is started it first disables 2 services belonging to an anti-virus and a firewall:


Then the trojan starts several threads. One of the threads monitors and kills processes if their names contain any of the following substrings:


To the Windows Explorer and Internet Explorer 'Favourites' menu the trojan adds shortcuts to the following websites:

Additionally the trojan adds itself to the authorised applications list for Windows firewall. As a result of this modifiction, Windows allows the trojan to access Internet and does not inform a user that a third-party application asks for Internet Access.

Finally the trojan copies itself to Windows folder as 'csrss.exe' file, runs that file and terminates its own process. The trojan also drops a small DLL file with the name 'syslg.dll' to Windows folder. It registers this DLL as a shell service object with a unique CLASSID and as a result, this DLL is loaded every time Windows starts. The DLL works as a starter for the main trojan's file.

Ftp, Proxy and Backdoor

Being active, the trojan starts an ftp server on TCP port 2121. The server requires a user and a password. When correct user and password is supplied the server gives access to all drives on an infected computer.

The trojan also starts a proxy server on TCP port 2355. This proxy can be used by spammers and the internal name of the trojan 'Spam Pinch 2 DE' suggests that it was primarily created for that purpose.

One more important feature of the trojan is to start a backdoor on TCP port 2050. When connected to this port, a remote user gets a command shell to an infected computer.

The trojan notifies its author from infected computers by accessing a website with a specially constructed URL, that contains a computer's IP address, proxy port, ftp port and backdoor shell port.

Stealing Data

The trojan reads settings of different applications and steals web, ftp and e-mail server addresses, logins and passwords. The following applications are affected:

 Miranda ICQ
 The Bat!
 Far Manager
 Internet Explorer
 Outlook Express
 Total Commander

The trojan also steals RAS (dialup) phone numbers, logins and passwords and collects system information about an infectected computer.


Detection for (Damrai.A) was published on December 15th, 2004 in the following F-Secure Anti-Virus updates:

Detection Type:PC

Description Created: Sami Rautiainen, December 15th, 2004

Technical Details:Alexey Podrezov, December 15th, 2004


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More