Trojan-PSW:W32/LdPinch is family of trojans whose main purpose is to steal passwords for a wide array of programs from an infected computer. Some variants also include other functionality such as backdoor capabilities.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
LdPinch steals passwords for several programs. Exact targets vary from variant to variant. The following is a list of possible targets:
Other information targeted by LdPinch variants are the content of Windows Protected Storage, RAS information, and general system information such as username, host name, IP address and hardware information. Some variants also include a keylogger and are able to take screenshots of the victim's desktop.The information is usually encrypted and then sent to the attacker either by uploading to a remote server or through email using an SMTP engine contained within the trojan. The stolen information can also be left as a file on the victim's computer to be retrieved later through backdoor functionality included in some variants.The backdoor can be a remote command shell or an FTP server created by the trojan. Another backdoor method used in LdPinch variants is the creation of an IRC-bot. Bot-commands enable the trojan to, for example, download additional files, scan IP ranges for certain open ports, restart or remove itself, show active threads, or create a remote command shell.Some variants spread by sending themselves as email attachments to addresses harvested from the infected computer. The attacker can specify strings that will cause the address to not be used if found in the address.Other functionality can include a proxy-server, the ability to download an additional executable, or the ability for the trojan to update itself by downloading a new version from the Internet. Internet Explorer can be modified by adding items to the favorites list, changing the start or search page ,or adding URLs to the list of trusted sites.An LdPinch trojan often copies itself to another location when it is run on a computer for the first time. Typical destination folders are the computer's Windows folder or the System32 sub-folder. The system registry is then edited to ensure the trojan is executed on startup.Typically the registry entry is added to the following location:
Another method is utilizing an additional DLL file, which is loaded via a registry entry and starts the actual trojan executable. Some variants are started as services through the registry. Due to the one-time nature of password theft, variants that have no backdoor functionality don't necessarily copy themselves anywhere on the infected computer and just delete themselves as soon as they have sent the stolen information back to the attacker.LdPinch trojans can kill services and programs enabling better protection for themselves from detection and deletion. Their targets for termination are different firewall and anti-virus programs. To bypass the Windows XP firewall, LdPinch can add itself to the list of authorized applications.It should be noted that although the possible set of functionality in LdPinch trojans is very large, a typical variant is only a password-stealer.
Date Created: -
Date Last Modified: -