PWS:Win32/Ldpinch.CW

PWS:Win32/Ldpinch.CW is a trojan that displays a spoofed login page that asks for a user's credentials. Whatever information the user enters is sent to a remote server.

Installation

PWS:Win32/Ldpinch.CW arrives in the computer as a self-extracting WinRAR archive. Upon execution, it drops the following files:

• %ProgramFiles%\JavaUpdatecdr.cpl - detected as PWS:Win32/Ldpinch.CW
• %ProgramFiles%\svchost.exe
• %ProgramFiles%\scvhost.exe.tmp

Payload

Steals user credentials
PWS:Win32/Ldpinch.CW may display a webpage that spoofs a login page. It may have dropdown menus that use JavaScript. If the user enters data into the login page, the information is sent to a remote server.

Connects to a server
PWS:Win32/Ldpinch.CW communicates with remote servers to download configuration data files or other updates. In the wild, this trojan has been observed to connect to the following servers:

Analysis by Daniel Radu