I hope this isn't Old News , searched the Forum before posting. Recieved an Alert from " Doctor Web " today, email.
Beware of Trojan.PWS.LDPinch.1061 and take care of your passwords
July 28, 2006
Virus monitoring service of Doctor Web, Ltd. informs on a new modification
of a Trojan program propagated via ICQ, classified by Dr.Web as
Trojan.PWS.LDPinch.1061. A received message invites a user to have a look
at a "funny flash" and the link where this "flash is stored. The
downloaded file (oPreved.exe) has an icon of a flash movie, but is a
password-stealing Troj.
Description:
When oPreved.exe is run (The file size is 354 304 bytes. It is detected by
Dr.Web Anti-virus as Trojan.PWS.LDPinch.1061), the following files are
created:
%System%\Expllorer.exe (223 392 bytes detected by Dr.Web Anti-virus as
Win32.HLLW.MyBot)
\%windir%\temp\xer.exe (223 392 bytes detected by Dr.Web Anti-virus as
Win32.HLLW.MyBot)
temporary file C:\a.bat
Expllorer.exe creates the following keys in the system registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Shel"=Expllorer.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"Shel"=Expllorer.exe
The passwords are being stolen via script at hxxp://220web.ru. All
passwords are being collected from the system — icq, ftp, mailservices,
dialup, trilian, miranda, etc.
Trojan.PWS.LDPinch tries to evade firewalls – both inbuilt into OS and
those of independent developers.
Never open links received in ICQ messages from unknown addressees. If your computer has been infected with
Trojan.PWS.LDPinch, recommend to disconnect the computer from the local
network and\or Internet and scan it (Plenty of information on the Forum as to Cleaning your system )
and IMPORTANT! Change all passwords in your computer.
