Encyclopedia entry
Updated: Apr 17, 2011 | Published: Nov 25, 2009
Aliases
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Updated: Apr 17, 2011 | Published: Nov 25, 2009
Aliases
-
Backdoor.Win32.Rbot.agml (Kaspersky)
- W32.Spybot.Worm (Symantec)
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
| Detection last updated: Definition: 1.121.1275.0 Released: Mar 10, 2012 | Detection initially created: Definition: 1.49.1662.0 Released: Jan 08, 2009 |
Summary
PWS:Win32/Ldpinch.BQ is a member of Win32/Ldpinch - a family of trojans that steals sensitive information from affected machines and sends it to a remote attacker. In particular, Ldpinch variants target passwords for a comprehensive selection of FTP, chat and e-mail clients, as well as those stored by browsers and in protected storage.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
Technical Information (Analysis)
PWS:Win32/Ldpinch.BQ is a member of Win32/Ldpinch - a family of trojans that steals sensitive information from affected machines and sends it to a remote attacker. In particular, Ldpinch variants target passwords for a comprehensive selection of FTP, chat and e-mail clients, as well as those stored in browsers and protected storage.
Installation
PWS:Win32/Ldpinch.BQ runs from where it was first executed and does not install itself on the affected computer.
Payload
Steals sensitive information
PWS:Win32/Ldpinch.BQ attempts to steal passwords from a number of different sources. It may target the following:
- WindowsProtected Storage
Passport.Net / WindowsLive credentials
Remote Access Service (RAS)
Remote Desktop Protocol (RDP) - Chat clientsICQ
&RQ
QIP
Trillian
Gaim - Browsers
Opera
Mozilla Firefox - Mail clientsMozilla Thunderbird
The Bat!
Outlook
Becky
Eudora - FTP clients
Total Commander / Windows Commander
FTP Commander
CuteFTP
WS_FTP
FileZilla
FlashFXP
FreeFTP
SmartFTP
Far FTP plugin - Rapidshare downloaders
RapGET
USDownloader
Win32/Ldpinch may also capture additional information regarding the affected computer, including the following:
- Computer name
- Running processes
- Connected drive properties
- Memory status
- Username
- Operating system ‘product’ id
Win32/Ldpinch sends the captured information to a remote attacker. While older variants of this family sent captured data using e-mail, recent variants send captured data via HTTP to particular remote hosts (often to remote PHP scripts).
PWS:Win32/Ldpinch.BQ has been observed contacting PHP scripts at the following remote host/s for this purpose (for example):
- iamdie.silena.mobi
Analysis by Scott Molenkamp
Žádné komentáře:
Okomentovat