Virus:TR/PSW.LdPinch.arh
Date discovered:19/07/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:26.624 Bytes
MD5 checksum:793e4f6725174fe3ce8e5a684b8c0dc2
VDF version:6.35.00.183
IVDF version:6.35.00.223

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Kaspersky: Trojan-PSW.Win32.LdPinch.arh


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\csrss.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "system"="%WINDIR%\csrss.exe"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%WINDIR%\csrss.exe"="%WINDIR%\csrss.exe:*:Enabled:csrss"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is the following:
   • bolbes@topmail.kz


To:
The recipient of the email is the following:
   • bolbes@topmail.kz


Subject:
The following:
   • Reportsss(%computer name%)



Body:
–  The body is empty.


Attachment:
The filename of the attachment is:
   • mass.bin
(%stolen information%)

 Backdoor The following port is opened:

– csrss.exe on TCP port 21 in order to provide an FTP server.

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • Mirabilis(ICQ)
   • RIT(The Bat)
   • Trillian
   • Outlook
   • CuteFTP
   • CuteFTP Pro
   • WS_FTP
   • Miranda IM
   • Opera
   • Mozilla
   • FileZilla
   • Punto Switcher
   • Total Commander
   • Windows Commander
   • Eudora

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Adriana Popa on Friday, July 21, 2006
Description updated by Andrei Gherman on Friday, July 21, 2006

Back . . . .