Troj/LdPinc-LZ

Please follow the instructions for removing Trojans.

Troj/LdPinc-LZ is a password-stealing Trojan with backdoor functionality.

Troj/LdPinc-LZ attempts to steal confidential information and send it to a remote location via HTTP or email. Troj/LdPinc-LZ is a password-stealing Trojan with backdoor functionality.

Troj/LdPinc-LZ attempts to steal confidential information and send it to a remote location via HTTP or email.

The information that Troj/LdPinc-LZ attempts to gather includes:

- keypresses (with the aid of a dropped keylogger DLL)
- computer details
- drive and volume information
- hostname and IP address
- information (including passwords and usernames) relating to selected applications installed on the computer, including: Miranda ICQ, mirabilis ICQ, The Bat!, Trillian, Windows Commander and Total Commander
- passwords and confidential information stored by the system in 'Protected Storage'
- POP3 and IMAP server information, usernames and passwords
- FTP usernames and passwords
- RAS dial-up settings

Troj/LdPinc-LZ provides a backdoor server on a pre-configured port (the default is 2050). A remote intruder will be able to connect to this port and receive command shell access.

Troj/LdPinc-LZ can arrive as a result of web browsing. Certain web pages may exploit vulnerabilities associated with Microsoft Internet Explorer to silently download and install/run the Trojan without user interaction.

Troj/LdPinc-LZ includes functionality to steal confidential information.

When first run Troj/LdPinc-LZ copies itself to <System>\mssync20.exe and creates the file <System>\mssync20.sys (also detected as Troj/LdPinc-LZ).

The file mssync20.sys is registered as a new system driver service named "mssync2020", with a display name of "mssync2020" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\mssync2020\