Threat behavior
PWS:Win32/Ldpinch.VA may be spread in a file named "Windows_Vista_All_Versions_Activation_21.11.06.exe", which may be distributed via BitTorrent or other file sharing networks. The trojan masquerades as a tool to bypass Windows Vista authentication. Instructions included with the tool specify logging in as Administrator. This allows the trojan to gain full access and facilitates the stealing of usernames, passwords and other data, as well as allowing it to create a backdoor on the system.
When the file containing the PWS:Win32/Ldpinch.VA is run, it drops and runs the following executables:
%UserProfile%\Local Settings\temp\smss.exe
%UserProfile%\Local Settings\temp\vista.exe
%windir%\csrss.exe
The following registry modification is made by the trojan:
creates value: "system"
with data: "%windir%\csrss.exe"
in subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
PWS:Win32/Ldpinch.VA creates an FTP server on TCP Port 21, with username 123 and password 123. The trojan also establishes a Sock5proxy and remote shell on two random ports. After opening the ports and establishing the services, PWS:Win32/Ldpinch.VA sends an HTTP GET Request to http://muafk.com. The request contains the ports and credentials used for establishing the services, as well as the operating system version and a unique identifier for the system.
The PWS:Win32/Ldpinch.VA trojan also contains a backdoor that can be used by a remote attacker to steal passwords and other login information, including any of the following:
- Computer name, OS version, DisplayName, DisplayVersion
- ICQ account details
- FTP properties including host, username, password, directory, method
Email account credentials and server information for SMTP, POP3, IMAP and HTTP accounts
- Passport and MSN Messenger credentials
- CoffeeCup profiles, hostname, port, and credentials
Becky Internet Mail accounts and credentials
- Gaim IM client accounts
Miranda IM account information
- Settings for www.mail.ru, including username and password
The backdoor also provides the attacker with the ability to create, download, upload, rename, and execute files on the remote system
PWS:Win32/Ldpinch.VA tries to avoid detection by modifying rules and allowed lists for both Kaspersky Anti-Hacker and the Windows firewall.
Prevention
