Virus:TR/PSW.LDPinch.GKA
Date discovered:24/03/2006
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:116.736 Bytes
MD5 checksum:fcbf84013de305e17f1eb09fd6ecdd71
VDF version:6.34.00.91

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Eset: Win32/PSW.LdPinch.NBT


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\%executed file%



The following file is created:

%WINDIR%\ihook.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSWLDPinch.GK.1

 Registry The following registry key is added in order to run the process after reboot:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "SVCHOST"="%WINDIR%\%executed file%"



The following registry key is added:

– HKCU\Software\Intel
   • "Data"=%stolen information%

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


Email design:
 


From: cooli4@mail.ru
To: cooli4@mail.ru
Subject: Passwords from ld-pinch (%computer name%)
Body:
   • %stolen information%

 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • ICQ
   • Miranda
   • The Bat!
   • Windows Commander
   • Total Commander
   • Far

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • NSPack
   • Obsidium

Description inserted by Irina Boldea on Thursday, March 23, 2006
Description updated by Irina Boldea on Friday, March 24, 2006

Back . . . .