TROJ_LDPINCH
Wadolin, LdPinch
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Propagates via removable drives, Dropped by other malware, Downloaded from the Internet
LDPINCH malware are comprised of worms and Trojans noted for its information stealing routine. First strains of this malware family appeared in 2007.
Its variants are known to be downloaded from compromised sites. Its worm variants are known to spread via removable drives.
LDPINCH malware collect user information from programs commonly used for email, FTP, file sharing, browsing, and instant messaging. Some of the programs it collects data from are the following:
- CuteFTP
- Eudora
- ICQ
- Mozilla Firefox
- Opera
- Outlook
- Trillian
TECHNICAL DETAILS
Yes
Steals information
Installation
This Trojan drops the following files:
- {drive letter}\autorun.inf
It drops the following copies of itself into the affected system:
- %System%\sisis.exe
- {drive letter}\autorun.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
sisis = "%System%\sisis.exe"
Other System Modifications
This Trojan creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name} = "{malware path}\{malware name}:*:Enabled:Enabled"
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}a.ru
- {BLOCKED}ss.cn
- dnsf.{BLOCKED}x.com.ru
- dwl.{BLOCKED}q.com
- {BLOCKED}.{BLOCKED}.110.78/pinch/gate.php
- nnpyev.{BLOCKED}x.com.ru
- pleven.{BLOCKED}rint.bg
- wcom.{BLOCKED}x.com.ru
- web.{BLOCKED}n.com
- www.{BLOCKED}d.cn
- {BLOCKED}a.ru