Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

TSPY_LDPINCH


ALIASES:

Wadolin, LdPinch

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
REPORTED INFECTION:
SYSTEM IMPACT RATING:
INFORMATION EXPOSURE:

  • Threat Type:Spyware

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Propagates via removable drives, Dropped by other malware, Downloaded from the Internet


LDPINCH malware are comprised of worms and Trojans noted for its information stealing routine. First strains of this malware family appeared in 2007.

Its variants are known to be downloaded from compromised sites. Its worm variants are known to spread via removable drives.

LDPINCH malware collect user information from programs commonly used for email, FTP, file sharing, browsing, and instant messaging. Some of the programs it collects data from are the following:

  • CuteFTP

  • Eudora

  • ICQ

  • Mozilla Firefox

  • Opera

  • Outlook

  • Trillian

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Steals information

Installation

This spyware drops the following files:

  • {drive letter}\autorun.inf

It drops the following copies of itself into the affected system:

  • %System%\sisis.exe
  • {drive letter}\autorun.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
sisis = "%System%\sisis.exe"

Other System Modifications

This spyware creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name} = "{malware path}\{malware name}:*:Enabled:Enabled"

Other Details

This spyware connects to the following possibly malicious URL:

  • {BLOCKED}ss.cn
  • dnsf.{BLOCKED}x.com.ru
  • dwl.{BLOCKED}q.com
  • {BLOCKED}.{BLOCKED}.110.78/pinch/gate.php
  • nnpyev.{BLOCKED}x.com.ru
  • pleven.{BLOCKED}rint.bg
  • wcom.{BLOCKED}x.com.ru
  • web.{BLOCKED}n.com
  • www.{BLOCKED}d.cn
  • {BLOCKED}a.ru

Featured Stories

Connect with us on