Trojan-PSW.Win32.LdPinch.bff
From Total Malware Info
Trojan program, designed to steal user passwords from various EMAIL, IM, FTP and P2P network clients.
It is a Windows portable executeble file. The size of trojan file is 642 060 bytes. Trojan body is encrypted. Written in assembler.
Installation
When launched, trojan extracts from its body following files:
- %Temp%\Vzlom BK.exe – is 32 256 bytes in size. Detected by Kaspersky Anti-Virus as Trojan-PSW.Win32.LdPinch.bfy
- %Temp%\CMOD.exe – is 601 088 bytes in size. Detected by Kaspersky Anti-Virus as not-virus:Hoax.Win32.Delf.b
once extracted, trojan launches these files.
Payload
Launches a thread, which constantly searches the system for windows with the following class names: “AVP.AlertDialog”, “AVP.AhAppChangedDialog”, “AVP.AhLearnDialog”. When such window is found trojan searches the windows for the following buttons: “Allow”, “Skip”, “Create rule”, “Apply to all”, “Remember this action” and emulates user clicks on them. In such way trojan disables anti-virus software.
Also emulates pushes on “OK” button in windows with following titles:
“Warning: Components Have Changed” “Hidden Process Requests Network Access”
Trojan gathers following system information: partitions and free space on the hard drive, user account name, network name of the computer, installed OS, type of CPU and installed software.
Searches for the following files:
account.cfg account.cfn
in the following folders
%Documents and Settings%\\Application Data\BatMail %Documents and Settings%\\Application Data\The Bat!
And in folders, referenced by the following registry key values:
[HKCU\Software\RIT\The Bat!] Working Directory ProgramDir
And steals the contents of those files.
Gets a path from the registry, where Mirabilis ICQ client is located, and searches for .DAT files in its folder. If it manages to find them – reads the user account information: UIN and password. Password in being decrypted by trojan’s own decryption routine.
Extracts path to folder, where Miranda IM is installed from the following registry key value:
[HKLM\Software\Miranda] Install_Dir
And searches that folder for .dat files, when found – the contents of the files is being stealed.
Searches the parameters of the following registry key:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
For those, that have names “&RQ.exe” и “RAT.exe”. If trojan manages to find such parameters, it then uses their value to extract path and search it for file “andrq.ini”.
If trojan failed to find parameters in the key above, it tries to read the value of the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ] UninstallString
And use the reference to uninstall script, to search for “andrq.ini” in its folder.
Trojan also get the full information about dial-up accounts set up in user system, including user account name, dial number and password.
Extracts path to folder, where Trillian is installed from registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
And steals the contents of the file “users\global\profiles.ini”, exracting information about user profiles, account names and passwords. Also extracts user names and passwords from file aim.ini.
Extracts the path to folder, where Total Commander is installed from the following registry values:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Commander] UninstallString= [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Total Commander XP] UninstallString= [HKCU\SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache] Totalcmd.exe=
And searches the extracted path and %WinDir% for file “wcx_ftp.ini”. Also searches for the following file \Profiles\Prof\ftp.ini. In these files trojan steals the values of the following parameters:
host username password directory method
Extracts path from registry value:
[HKCU\Software\RimArts\B2\Settings] DataDir
And searches for “Mailbox.ini” file inside that path. If this file is found, steals the values of the following parameters:
UserID MailAddress MailServer PassWd
Extracts the all entries from Microsoft Outlook addressbook and account information from reigistry key:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
Extracts path from the registry to install location of CuteFTP and CuteFTP Professional and searches there folders for following files:
sm.dat tree.dat smdata.dat
and the steals their contents.
Steals the values of following parameters in file %WinDir%\edialer.ini:
LoginSaved PasswordSaved
Extracts the list of subkeys in the following registry key: [HKCU\Software\Far\Plugins\FTP\Hosts],in those subkeys trojan extracts the values of the following parameters:
HostName User Password Description
Extracts values from the following parameters:
DIR DEFDIR
From section called "WS_FTP" in file %WinDir%\win.ini And uses them to search for file “ws_ftp.ini” from which steals the values of the following parameters:
HOST UID PWD
Reads the path from the registry to the installation folder of Opera browser and searches its folder and the following folder:
Documents and Settings\Application Data\Opera
For file \profile\wand.dat to steal data stored in it.
Also searches folder mentioned above for the following file:
\Mail\accounts.ini
And extracts the values of the following parameters:
Email Incoming Username Incoming Servername Incoming Password
Reads the path from the registry to the installation folder of Mozilla browser and steals the contents of all files in “Profiles” subfolder
Reads the path to the QIP IM client from registry key:
[HKCU\SOFTWARE\Microsoft\Windows\ShellNoRoam] “qip.exe”=
And searches the “Users” subfolder for files named “Config.ini” and reads the following values:
Password NPass
Reads the contents of the file
Documents and Settings\\Application Data\Thunderbird\Profiles.ini
And extracts path to the profiles, where then searches files sigons.txt and prefs.js and reads their contents.
Reads from the following file:
Documents and Settings\\Application Data\Qualcomm\Eudora\Eudora.ini
Values of the following parameters:
RealName ReturnAddress PopServer LoginName SavePasswordText
From the [Settings] section
Reads the path to the folder, where Punto Switcher is installed from the value in the following registry key:
[HKCU\Software\Punto Switcher]
And uses it to find file named “diary.dat” and steal its contents
Steals the contents of the following file:
Documents and Settings\\Application Data\.gaim\accounts.xml
Steals the contents of the files located in the Firefox browser profiles
Gets an installation path to FileZilla from registry key:
[HKCU\Software\FileZilla] Install_Dir
And searches it for files FileZilla.xml and sitemanager.xml and the steal its contents.
Reads the install path to FlashFXP from the registry and steals the contents of the file “Sites.dat”.
Reads the contents of the following files:
%WinDir%\VD3User.dat %WinDir%\Vd3main.dat
Reads the contents of the following files:
Documents and Settings\\ Application Data\SmartFTP\Client 2.0\Favorites\ Favorites.dat Documents and Settings\\ Application Data\SmartFTP\Favorites.dat Documents and Settings\\ Application Data\SmartFTP\History.dat
Steals values of the following parameters:
HostName Port Username Password ItemName
In the subkeys of the following registry keys:
[HKCU\Software\CoffeeCup Software\Internet\Profiles]
Reads the following registry parameter value:
[HKCU\SOFTWARE\Microsoft\Windows\ShellNoRoam] USDownloader.exe
And uses that values to search for the following files:
USDownloader.lst Depositfilesl.txt Megauploadl.txt Rapidsharel.txt
to steal their contents.
Reads the following registry parameter value:
[HKCU\SOFTWARE\Microsoft\Windows\ShellNoRoam] rapget.exe
And uses that values to search for the following files:
rapget.ini links.dat
to steal their contents.
Searches folder Documents and Settings\\My Documents for files with the following extension “.rdp” and steals their contents.
Report with all gathered information trojan sends to the following E-mail address:
dim********@mail.ru
Removal instructions
If your computer was not protected by anti-virus software and was infected by this malware progam, to manually remove it please follow the instructions below:
- Using Task Manager terminate the trojan process.
- Delete the original trojan file (its file name and location depends on the way the trojan originally penetrated the target computer).
- Delete the following files:
%Temp%\Vzlom BK.exe %Temp%\CMOD.exe
- Check your system for viruses using updated anti-virus definitions.
