pátek 24. února 2012

PWS:Win32/Ldpinch.BQ


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Nov 25, 2009

Aliases
  • Backdoor.Win32.Rbot.agml (Kaspersky)
  • W32.Spybot.Worm (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.115.2143.0
Released: Nov 18, 2011
Detection initially created:
Definition: 1.49.1662.0
Released: Jan 08, 2009


 

Summary

PWS:Win32/Ldpinch.BQ is a member of Win32/Ldpinch - a family of trojans that steals sensitive information from affected machines and sends it to a remote attacker. In particular, Ldpinch variants target passwords for a comprehensive selection of FTP, chat and e-mail clients, as well as those stored by browsers and in protected storage.


 

Symptoms

There are no obvious symptoms that indicate the presence of this malware on an affected machine.
 


 

Technical Information (Analysis)

PWS:Win32/Ldpinch.BQ is a member of Win32/Ldpinch - a family of trojans that steals sensitive information from affected machines and sends it to a remote attacker. In particular, Ldpinch variants target passwords for a comprehensive selection of FTP, chat and e-mail clients, as well as those stored in browsers and protected storage.
Installation
PWS:Win32/Ldpinch.BQ runs from where it was first executed and does not install itself on the affected computer.
Payload
Steals sensitive information
PWS:Win32/Ldpinch.BQ attempts to steal passwords from a number of different sources. It may target the following:
  • WindowsProtected Storage
    Passport.Net / WindowsLive credentials
    Remote Access Service (RAS)
    Remote Desktop Protocol (RDP)
  • Chat clientsICQ
    &RQ
    QIP
    Trillian
    Gaim
  • Browsers
    Opera
    Mozilla Firefox
  • Mail clientsMozilla Thunderbird
    The Bat!
    Outlook
    Becky
    Eudora
  • FTP clients
    Total Commander / Windows Commander
    FTP Commander
    CuteFTP
    WS_FTP
    FileZilla
    FlashFXP
    FreeFTP
    SmartFTP
    Far FTP plugin
  • Rapidshare downloaders
    RapGET
    USDownloader
 
Win32/Ldpinch may also capture additional information regarding the affected computer, including the following:
  • Computer name
  • Running processes
  • Connected drive properties
  • Memory status
  • Username
  • Operating system ‘product’ id
 
Win32/Ldpinch sends the captured information to a remote attacker. While older variants of this family sent captured data using e-mail, recent variants send captured data via HTTP to particular remote hosts (often to remote PHP scripts).
 
PWS:Win32/Ldpinch.BQ has been observed contacting PHP scripts at the following remote host/s for this purpose (for example):
  • iamdie.silena.mobi
 
Analysis by Scott Molenkamp

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.