Troj/LdPinch-CF

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	10 November 2005 09:43:36 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/LdPinch-CF is a password-stealing Trojan with backdoor functionality.

Troj/LdPinch-CF attempts to steal confidential information and send it to a remote location via HTTP or email.

The information that Troj/LdPinch-CF attempts to gather includes:

- keypresses (with the aid of a dropped keylogger DLL)
- computer details
- drive and volume information
- hostname and IP address
- information (including passwords and usernames) relating to selected applications installed on the computer, including: Miranda ICQ, mirabilis ICQ, The Bat!, Trillian, Windows Commander and Total Commander
- passwords and confidential information stored by the system in 'Protected Storage'
- POP3 and IMAP server information, usernames and passwords
- FTP usernames and passwords
- RAS dial-up settings

Troj/LdPinch-CF provides a backdoor server on a pre-configured port (the default is 2050). A remote intruder will be able to connect to this port and receive command shell access.

Troj/LdPinch-CF can arrive as a result of web browsing. Certain web pages may exploit vulnerabilities associated with Microsoft Internet Explorer to silently download and install/run the Trojan without user interaction.

Troj/LdPinch-CF includes functionality to steal confidential information and send notification messages to remote locations.

When first run Troj/LdPinch-CF copies itself to the Windows folder and creates the following files:

<Favorites>\asechka.ru.url
<Favorites>\hackru.info.url
<Favorites>\wasm.ru.url
<Favorites>\web-hack.ru.url
<Favorites>\xportal.net.ru.url
\%CurrentFolder%\a.bat
<Windows>\keyls.dll
<Windows>\temp.jpg

The following registry entry is created to run Troj/LdPinch-CF on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TaskManager
<Windows>\<original Trojan filename>

Troj/LdPinch-CF changes the Start Page and Search Page for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

Troj/LdPinch-CF sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
4

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/LdPinch-CF

Summary

Action

More Information