TSPY_LDPINCH


 ALIASES:

Wadolin, LdPinch

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives, Dropped by other malware, Downloaded from the Internet

LDPINCH malware are comprised of worms and Trojans noted for its information stealing routine. First strains of this malware family appeared in 2007.

Its variants are known to be downloaded from compromised sites. Its worm variants are known to spread via removable drives.

LDPINCH malware collect user information from programs commonly used for email, FTP, file sharing, browsing, and instant messaging. Some of the programs it collects data from are the following:

  • CuteFTP

  • Eudora

  • ICQ

  • Mozilla Firefox

  • Opera

  • Outlook

  • Trillian

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Steals information

Installation

This spyware drops the following files:

  • {drive letter}\autorun.inf

It drops the following copies of itself into the affected system:

  • %System%\sisis.exe
  • {drive letter}\autorun.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
sisis = "%System%\sisis.exe"

Other System Modifications

This spyware creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name} = "{malware path}\{malware name}:*:Enabled:Enabled"

Other Details

This spyware connects to the following possibly malicious URL:

  • {BLOCKED}ss.cn
  • dnsf.{BLOCKED}x.com.ru
  • dwl.{BLOCKED}q.com
  • {BLOCKED}.{BLOCKED}.110.78/pinch/gate.php
  • nnpyev.{BLOCKED}x.com.ru
  • pleven.{BLOCKED}rint.bg
  • wcom.{BLOCKED}x.com.ru
  • web.{BLOCKED}n.com
  • www.{BLOCKED}d.cn
  • {BLOCKED}a.ru