Internet Security Threats

Trojan-PSW.Win32.LdPinch.bkk

RISK LEVEL:2

This Trojan is designed to steal confidential information (user passwords).It is designed to steal a range of confidential information.

It is a Windows PE EXE file. The file is approximately 49KB in size. t iswritten in Assembler.

Installation

When launching, the Trojan extracts the following files from its body:

• %Temp%\Pinch;009.exe — this file is 26,635 bytes in size;
• %Temp%\drag_and_go_back_spezial.swf — this file is 19,006 bytes in size.

The files will then be launched for execution.

The Trojan also adds the following parameter to the system registry:

The Trojan constantly searches for windows of the following classes: “AVP.AlertDialog”,“AVP.AhAppChangedDialog”, “AVP.AhLearnDialog”. Withinthese windows it will emulate clicking on the following buttons: "Razreshit[‘Allow' in Russian]”, “Allow”, “Skip”,“Sozdat’ pravilo [‘Create Rule’ in Russian]“,“Apply to all”, “Remember this action”. It will closewindows of the class “AVP.Product_Notification”.

The Trojan searches for windows where the title contains the following strings:“Kaspersky Anti-Hacker - Sozdat’ pravilo dlya [Russian version offollowing string]" or "Kaspersky Anti-Hacker - Create a rule for" and emulatesclicking on the following button: "Razreshit' odnokratno [Russian version offollowing string]“ or “Allow Once”.

The Trojan also emulates clicking on “OK” in windows with thefollowing titles:

Vnimanie: Nekotoryie komponentyi izmenilis’Warning: Components Have ChangedSkrityi protsess zaprashivaet setevoi dostypHidden Process Requests Network Access

The Trojan harvests information about the hard disk, how much free space remainson the disk, the current user’s account, the network name of the victimmachine, the version of the operating syste, the type of processor, screen options,programs installed on the computer, active processes and dial-up connections.

The Trojan searches for the files account.cfg and account.cfn in the following folders:

It also searches folders indicated in the following registry key parametersfor these files:

[HKCU\Software\RIT\The Bat!]Working DirectoryProgramDir

It will harvest the contents of these files.

The Trojan gets the path to the Mirabilis ICQ client (if installed), searchesfor files with a DAT extension and harvests their contents.

The Trojan reads the path to the Miranda client (if installed) from the followingregistry section:

[HKLM\Software\Miranda]Install_Dir

searches it for files with a DAT extension and harvest their contents.

The Trojan also searches the following registry key’s parameters [HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]for parameters called RQ.exe and RAT.exe. It gets the value for these files(if found) and uses it to search for a file called andrq.in.

If it does not find these files, it gets the value from the following registrykey

and uses it to search for a file called andrq.ini.

The Trojan gets the path to the file with the Trillian client (if installed)from the following registry key:

It reads the contents of users\global\profiles.ini, and extracts informationabout the current user profile. It also reads the user name and password fromaim.ini.

The Trojan gets the path to Total Commander (if installed) from the followingregistry keys:

The Trojan searches this folder, and also %WinDir% for a file called wcx_ftp.inior ftp.ini, which it will search for the following parameters and get theirvalues:

hostusernamepassworddirectorymethod

The Trojan searches this folder, and also %WinDir% for a file called wcx_ftp.inior ftp.ini, which it will search for the following parameters and get theirvalues [HKCU\Software\RimArts\B2\Settings], it searches for a file called Mailbox.ini, searches for the followingparameters, and gets their values:

UserIDMailAddressMailServerPassWd

The Trojan gets a list of entries in the address book, and passwords to MicrosoftOutlook accounts from the following registry key:

The Trojan gets the patch to CuteFTP and CuteFTP Professional (if installed)and searches them for the following files:

sm.dattree.datsmdata.dat

It will harvest the contents of these files.

The Trojan gets the values of the following paramenters from %WinDir%\edialer.ini:

LoginSavedPasswordSaved

The Trojan gets a list of keys in [HKCU\Software\Far\Plugins\FTP\Hosts] andgets the values of the following parameters:

HostNameUserPasswordDescription

The Trojan gets the values of DIR and DEFDIR from "WS_FTP” in %WinDir%\win.ini and uses the values to searchfor a file called ws_ftp.ini. It reads the values of the following parametersfrom this file:

HOSTUIDPWD

The Trojan reads the path to the Opera client (if installed) and searchesboth its folder, and the patch shown below:

%Documents and Settings%\<name of current user>\Application Data\Opera

for a file called \profile\wand.dat. It harvests the contents of this file.

The Trojan gets the path to Mozilla (if installed) from the system registry,and harvests all files in the Profiles folder.

The Trojan gets the path to QIP (if installed) from the following registrykey:

[HKCU\Software\Microsoft\Windows\ShellNoRoam]"qip.exe"

It searchs the program folder, the subfolder Users and all folders in thesubfolder for Config.ini. It gets the values for:

PasswordNPass

The Trojan reads the contents of %Documents and Settings%\<user name>\ApplicationData\Thunderbird\Profiles.ini and extracts a path to profiles, where it willsearch for files called signons.txt and prefs.js, and harvest their contents.

The Trojan gets the values of all subkeys of the following registry key:

[HKCU\Software\Mail.Ru\Agent\mra_logins]

The Trojan reads the following parameters from %Documents and Settings%\<username>\Application Data\Qualcomm\Eudora\Eudora.ini:

RealNameReturnAddressPopServerLoginNameSavePasswordText

The Trojan reads the path to Punto Switcher (if installed) from the followingregistry key:

[HKCU\Software\Punto Switcher]

and reads the contents of "diary.dat”.

It reads the value of %Documents and Settings%\<name of current user>\ApplicationData\gaim\accounts.xml.

The Trojan harvests the contents of files located in the Firefox profiles.

The Trojan gets the path to the folder with FileZilla (if installed) fromthe following registry key:

[HKCU\Software\FileZilla]Install_Dir

And harvests the contents of FileZilla.xml and sitemanager.xml.

The Trojan gets the path to the folder with FlashFXP (if installed) and harveststhe contents of Sites.dat.

It harvests the contents of the following files:

%WinDir%\VD3User.dat%WinDir%\Vd3main.dat

It also harvests the contents of the following files:

It harvests the following values:

HostNamePortUsernamePasswordItemName

from the following registry subkey:

[HKCU\Software\CoffeeCup Software\Internet\Profiles]

The Trojan reads the value of the following registry key parameter:

[HKCU\Software\Microsoft\Windows\ShellNoRoam]USDownloader.exe

and uses it to search for the files listed below:

USDownloader.lstDepositfilesl.txtMegauploadl.txtRapidsharel.txt

It harvests the contents of these files.

The Trojan reads the value of the following registry key parameter:

and uses it to search for the files listed below:

rapget.inilinks.dat

It harvests the contents of these files.

The Trojan searches %Documents and Settings%\<user name>\My Documentsfor files with an .rdp extension and harvests their contents.

The Trojan sends all the data harvested to ****n@timeparty.org, the remote malicious user's email.

If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram:

1. Delete the Trojan process.
2. Delete the original Trojan file (the location will depend onhow the program originally penetrated the victim machine).
3. Delete the following files:

   %Temp%\Pinch;009.exe%Temp%\drag_and_go_back_spezial.swf

4. Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus).