Beware of Trojan.PWS.LDPinch.1061 and take care of your passwords
July 28, 2006
Virus monitoring service of Doctor Web, Ltd. informs on a new modification of a Trojan program propagated via ICQ, classified by Dr.Web as Trojan.PWS.LDPinch.1061.
A received message invites a user to have a look at a "funny flash" and the link where this "flash is stored. The downloaded file (oPreved.exe) has an icon of a flash movie, but is a password-stealing Troj.
Description
When oPreved.exe is run (The file size is 354 304 bytes. It is detected by Dr.Web Anti-virus as Trojan.PWS.LDPinch.1061), the following files are created:
%System%\Expllorer.exe (223 392 bytes detected by Dr.Web Anti-virus as Win32.HLLW.MyBot)
\%windir%\temp\xer.exe (223 392 bytes detected by Dr.Web Anti-virus as Win32.HLLW.MyBot)
temporary file C:\a.bat
Expllorer.exe creates the following keys in the system registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Shel"=Expllorer.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"Shel"=Expllorer.exe
The passwords are being stolen via script at hxxp://220web.ru. All passwords are being collected from the system — icq, ftp, mailservices, dialup, trilian, miranda, etc.
Trojan.PWS.LDPinch tries to evade firewalls – both inbuilt into OS and those of independent developers.
Doctor Web, Ltd. calls all users to never open links received in ICQ messages from unknown addressees. If your computer has been infected with Trojan.PWS.LDPinch, we recommend to disconnect the computer from the local network and\or Internet and scan it with Dr.Web®. You can also check your computer for free and cure it, if necessary, with Dr.Web CureIt!.
IMPORTANT! Change all passwords in your computer.
|
|
