Virus:TR/Drop.LdPinch.dvx
Date discovered:23/10/2007
Type:Trojan
Subtype:Dropper / Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:28.672 Bytes
MD5 checksum:67f88bf5ae4a4c64dbee3de00Dc8fc0C
IVDF version:7.0.0.125

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Spy-Agent.bg
   •  Eset: Win32/PSW.LdPinch.DVX trojan


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops a malicious file

 Files It copies itself to the following location:
   • %WINDIR%\9129837.exe



The following files are created:

%WINDIR%\new_drv.sys Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: RKIT/LdPinch.dvx

– c:\abcdefg.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry One of the following values is added in order to run the process after reboot:

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ttool
   • %WINDIR%\9129837.exe



The following registry key is added:

– HKCU\Software\Microsoft\InetData
   • k1=dword:336602d5
   • k2=dword:4337c861
   • version="951"

 Backdoor Contact server:
The following:
   • http://**********/cgi-bin/options.cgi?user_id=165549058&version_id=951&passphrase=fkjvhsdvlksdhvlsd&socks=3633&version=124&crc=00000000

As a result it may send some information. This is done via the HTTP GET request on a CGI script.

Description inserted by Lutz Koch on Tuesday, October 23, 2007
Description updated by Lutz Koch on Wednesday, October 24, 2007

Back . . . .