Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/PSW.LdPinch.NCB

Aliases:Trojan-PSW.Win32.LdPinch.rrh (Kaspersky), PWS:Win32/Ldpinch.gen (Microsoft), PWS-LDPinch (McAfee) 
Type of infiltration:Trojan  
Size:50688 B 
Affected platforms:Microsoft Windows 
Signature database version:3955 (20090323) 

Short description

Win32/PSW.LdPinch.NCB is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.

Installation

The trojan does not create any copies of itself.

The following Registry entry is set:
  • [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccess
    ParametersFirewallPolicyStandardProfileAuthorizedApplications
    List]
    "%filename%" = "%filename%:*:Enabled:Enabled"
The performed data entry creates an exception in the Windows Firewall program.

Information stealing

Win32/PSW.LdPinch.NCB is a trojan that steals passwords and other sensitive information.

The trojan collects information related to the following applications:
  • The Bat!
  • ICQ
  • &RQ
  • Miranda IM
  • Trillian IM
  • RASDIAL
  • The Bat!
  • ICQ
  • &RQ
  • Miranda IM
  • Trillian IM
  • RASDIAL
  • Total Commander
  • Becky! Internet Mail
  • Internet Explorer
  • Microsoft Outlook
  • CuteFTP
  • E-Dialer
  • Far
  • WS_FTP
  • Opera
  • Mozilla Firefox
  • QIP
  • Mozilla Thunderbird
  • Mail.Ru
  • Eudora
  • Punto Switcher
  • Gaim
  • FileZilla
  • FlashFXP
  • Windows Live Messenger
  • VDialer
  • SmartFTP
  • CoffeeCup
  • RapGet
  • Rapidshare Instant Downloader
  • Universal Share Downloader
  • Windows Remote Desktop
The trojan collects the following information:
  • operating system version
  • user name
  • computer name
  • list of disk devices and their type
  • informácie sieového adaptéra
  • list of running processes
  • operating system version
  • user name
  • computer name
  • list of disk devices and their type
  • informácie sieového adaptéra
  • list of running processes
  • current screen resolution
  • installed program components under [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall] Registry subkeys
  • CPU information
  • memory status
  • list of computer users
The trojan can send the information to a remote machine.

The trojan contains a list of (1) URLs.

The HTTP protocol is used.

Other information

The trojan may create the following files:
  • %system%%variable1%.sys (1856 B)
  • C:sourcefile.dat
The trojan may install the following system drivers (path, name):
  • %system%%variable1%.sys, %variable2%
A string with variable content is used instead of %variable1-2%.

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMirM]
    "Dat" = "%variable%"
A string with variable content is used instead of %variable%.

The trojan interferes with the operation of some security applications to avoid detection.