Follow:

 

PWS:Win32/Ldpinch


Win32/Ldpinch is a family of password-stealing trojans. This trojan gathers private user data such as passwords from the host computer and sends the data to the attacker at a preset e-mail address. The Win32/Ldpinch trojans use their own Simple Mail Transfer Protocol (SMTP) engine or a web-based proxy for sending the e-mail, thus copies of the sent e-mail will not appear in the affected user's e-mail client.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

A Win32/Ldpinch trojan typically takes the following actions on the host computer: 
  • Creates a copy of itself in the Windows folder or the system folder. The file name of the copy may vary.
  • Creates an entry under one or both of the following registry subkeys to run this copy of the trojan each time Windows starts:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Attempts to gather data from the host computer. The Win32/Ldpinch trojan may gather data such as e-mail addresses, passwords, and system configuration information, including registry settings. It may also gather data from installed applications such as &RQ, FAR, ICQ, The Bat!, and Total Commander.
  • Encodes the passwords and sends them along with other collected information to a preset e-mail address. The Win32/Ldpinch trojans use their own Simple Mail Transfer Protocol (SMTP) engine or a web-based proxy for sending the e-mail, thus copies of the sent e-mail will not appear in the affected user's e-mail client.

Symptoms

Win32/Ldpinch variants have varying symptoms however this trojan family has some shared characteristics and actions:
  • Creates an entry under one or both of the following registry subkeys to run this copy of the trojan each time Windows starts:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Attempts to gather data from the host computer. The Win32/Ldpinch trojan may gather data such as e-mail addresses, passwords, and system configuration information, including registry settings. It may also gather data from installed applications such as &RQ, FAR, ICQ, The Bat!, and Total Commander.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.183.370.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Oct 26, 2006
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases