Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/ldpinch


  • Please log in to reply
5 replies to this topic

#1 jay_rock

jay_rock

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 18 November 2006 - 02:34 PM

Hello im new here kinda found this site whilst browsing for help with this infection.
Win32/Ldpinch windows defender is reporting this

Category:
Password Stealer

Description:
This program has potentially unwanted behaviour.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
D:\WINDOWS\Installer\UpdateService.exe

View more information about this item online


But norton / spybot/ adaware and super anti spyware are reporting that i'm clean apart from some tracking cookies here and there.
What I'm wondering is if it is a false negative ..
Any help will be great fully received.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,096 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:42 AM

Posted 18 November 2006 - 02:44 PM

Discovered: November 3, 2003
Updated: November 4, 2003 03:26:39 PM PST
Also Known As: Trojan.PSW.Ldpinch.s [Kaspersky], PWSteal.Ldpinch
Type: Trojan Horse
Infection Length: 17,408 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Infostealer.Ldpinch is executed, it does the following:

1. Copies itself to %Windir%.

Note: %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
2. Adds the value:

"putil"="%Windir%\<filename>"

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs when you start Windows.

3. Records the following information to a log file and then sends the information to the hacker at a hardcoded email address:
* User keystrokes
* System information
* User email accounts
* Passwords from the following programs:
o ICQ99b-2003a/Lite/ICQ2003Pro
o Miranda-icq
o Trillian ICQ&AIM
o &RQ
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 jay_rock

jay_rock
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 18 November 2006 - 03:00 PM

Yeah allready seen that on the Symantec Site none of the reg keys are present on my pc

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:42 AM

Posted 22 November 2006 - 01:27 PM

Submit this file:

D:\WINDOWS\Installer\UpdateService.exe

to http://www.virustotal.com/vt/ and http://virusscan.jotti.org/

That should tell you right off if this is bad or a false positive. My guess is that it is bad.

#5 jay_rock

jay_rock
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 24 November 2006 - 03:10 PM

AntiVir 7.2.0.46 11.24.2006 TR/PSW.LdPinch.awz
Authentium 4.93.8 11.23.2006 no virus found
Avast 4.7.892.0 11.23.2006 Win32:Trojan-gen. {UPX!}
AVG 386 11.24.2006 PSW.Ldpinch.CAT
BitDefender 7.2 11.24.2006 DeepScan:Generic.Dialer.DCAAAA09
CAT-QuickHeal 8.00 11.24.2006 no virus found
ClamAV devel-20060426 11.24.2006 no virus found
DrWeb 4.33 11.24.2006 no virus found
eSafe 7.0.14.0 11.24.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.66 11.23.2006 Win32/Ldpinch.7bl!Trojan
eTrust-Vet 30.3.3211 11.24.2006 Win32/Yurist.K
Ewido 4.0 11.24.2006 Trojan.LdPinch.awz
Fortinet 2.82.0.0 11.24.2006 W32/LdPinch.AWZ!tr.pws
F-Prot 3.16f 11.23.2006 no virus found
F-Prot4 4.2.1.29 11.23.2006 no virus found
Ikarus 0.2.65.0 11.24.2006 no virus found
Kaspersky 4.0.2.24 11.24.2006 Trojan-PSW.Win32.LdPinch.awz
McAfee 4904 11.24.2006 no virus found
Microsoft 1.1804 11.24.2006 Win32/Ldpinch
NOD32v2 1881 11.24.2006 no virus found
Norman 5.80.02 11.24.2006 W32/LdPinch.EUB
Panda 9.0.0.4 11.24.2006 Trj/Ldpinch.SU
Prevx1 V2 11.24.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.123 11.23.2006 Trojan/PSW.LdPinch.awz
UNA 1.83 11.24.2006 Trojan.PSW.Win32.LdPinch.76F0
VBA32 3.11.1 11.24.2006 Trojan-PSW.Win32.LdPinch.awz
VirusBuster 4.3.15:9 11.24.2006 Trojan.PWS.LdPinch.ZN

Thanks for those briliant sites
what should i do ?for now defender has it quarantined

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:42 AM

Posted 26 November 2006 - 09:17 AM

I would get rid of the file as we know it bad by clearing your quarantine so they are no longer on your computer. I would also suggest you scan your computer with the kaspersky online virus scanner:

http://usa.kaspersky.com/services/free-virus-scanner.php

If it still finds more malware, then do the steps here:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

last but not least, this malware is a keylogger and information stealer. I advise you change all your passwords for sites, your computer, etc.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users