We have renamed Damrai.A to LdPinch.ht as the trojan also has password stealing capabilities.
LdPinch.ht is a password stealing trojan with backdoor and proxy capabilities that was found on December 15th, 2004. It was spammed widely in Germany in a message that contained an attachment, "telekom-rechnung.chm". This attachment contains two files: a small HTML file that attempts to execute the other file, "open.exe", using a vulnerability in Internet Explorer. The "open.exe" file contans the actual trojan.
More details about the vulnerability is available from Microsoft:
Based on the settings of your F-Secure security program, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
When the open.exe file is started it first disables 2 services belonging to an anti-virus and a firewall:
Then the trojan starts several threads. One of the threads monitors and kills processes if their names contain any of the following substrings:
outpost.exe VSMON.exe ZAPRO.exe APVDWIN.exe PAVSRV51.exe NOD32KUI.exe avpcc.exe defwatch.exe
To the Windows Explorer and Internet Explorer 'Favourites' menu the trojan adds shortcuts to the following websites:
Additionally the trojan adds itself to the authorised applications list for Windows firewall. As a result of this modifiction, Windows allows the trojan to access Internet and does not inform a user that a third-party application asks for Internet Access.
Finally the trojan copies itself to Windows folder as 'csrss.exe' file, runs that file and terminates its own process. The trojan also drops a small DLL file with the name 'syslg.dll' to Windows folder. It registers this DLL as a shell service object with a unique CLASSID and as a result, this DLL is loaded every time Windows starts. The DLL works as a starter for the main trojan's file.
Being active, the trojan starts an ftp server on TCP port 2121. The server requires a user and a password. When correct user and password is supplied the server gives access to all drives on an infected computer.
The trojan also starts a proxy server on TCP port 2355. This proxy can be used by spammers and the internal name of the trojan 'Spam Pinch 2 DE' suggests that it was primarily created for that purpose.
One more important feature of the trojan is to start a backdoor on TCP port 2050. When connected to this port, a remote user gets a command shell to an infected computer.
The trojan notifies its author from infected computers by accessing a webnomey.net website with a specially constructed URL, that contains a computer's IP address, proxy port, ftp port and backdoor shell port.
The trojan reads settings of different applications and steals web, ftp and e-mail server addresses, logins and passwords. The following applications are affected:
ICQ Miranda ICQ &RQ The Bat! Becky CuteFTP Edialer Far Manager Mozilla Opera Internet Explorer Outlook Outlook Express Trillian WS_FTP Total Commander
The trojan also steals RAS (dialup) phone numbers, logins and passwords and collects system information about an infectected computer.