You are here

Help Severe Trojan Alert! Microsoft Security Essentials detected PWS:Win32/Ldpinch.gen

10 posts / 0 new
Last post
foyzul1988
Offline
Last seen: 15 years 11 months ago
Joined: 2008-10-23 09:49
Help Severe Trojan Alert! Microsoft Security Essentials detected PWS:Win32/Ldpinch.gen

PortableAapps.com Platform version: 2.0 beta 1
As I had started the PortableApps.com Platform, the Microsoft Security Essentials froze the application and alerted me of a severe trojan. I don't know why but I didn't expect the PortableApps Platform could be performing trojan style commands and be a serious issue?

I hope someone here could help! I have copied and pasted the details of the trojan: PWS:Win32/Ldpinch.gen

Microsoft Security Essentials - Encyclopedia entry PWSWin32-Ldpinch.gen:

PWS:Win32/Ldpinch.gen

Encyclopedia entry
Updated: Feb 07, 2008 | Published: Feb 04, 2008

Aliases
Not available

Alert Level
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated: Detection initially created:
Definition: 1.69.889.0 Definition: 1.45.287.0
Released: Nov 12, 2009 Released: Oct 07, 2008

Summary
PWS:Win32/Ldpinch.gen is generic detection for PWS:Win32/Ldpinch, a family of password-stealing trojans. This trojan gathers private user data, such as passwords, from the host computer and sends the data to the attacker at a preset e-mail address. The Win32/Ldpinch trojans use their own Simple Mail Transfer Protocol (SMTP) engine or a web-based proxy for sending the e-mail, thus copies of the sent e-mail will not appear in the affected user's e-mail client.

Symptoms
Win32/Ldpinch variants have varying symptoms however this trojan family has some shared characteristics and actions:

*
Creates an entry under one or both of the following registry subkeys to run this copy of the trojan each time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
*
Attempts to gather data from the host computer. The Win32/Ldpinch trojan may gather data such as e-mail addresses, passwords, and system configuration information, including registry settings. It may also gather data from installed applications such as &RQ, FAR, ICQ, The Bat!, and Total Commander.

Technical Information (Analysis)
PWS:Win32/Ldpinch.gen is generic detection for PWS:Win32/Ldpinch, a family of password-stealing trojans. This trojan gathers private user data, such as passwords, from the host computer and sends the data to the attacker at a preset e-mail address. The Win32/Ldpinch trojans use their own Simple Mail Transfer Protocol (SMTP) engine or a web-based proxy for sending the e-mail, thus copies of the sent e-mail will not appear in the affected user's e-mail client.

A Win32/Ldpinch trojan typically takes the following actions on the host computer:

*
Creates a copy of itself in the Windows folder or the system folder. The file name of the copy may vary.
*
Creates an entry under one or both of the following registry subkeys to run this copy of the trojan each time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
*
Attempts to gather data from the host computer. The Win32/Ldpinch trojan may gather data such as e-mail addresses, passwords, and system configuration information, including registry settings. It may also gather data from installed applications such as &RQ, FAR, ICQ, The Bat!, and Total Commander.
* Encodes the passwords and sends them along with other collected information to a preset e-mail address. The Win32/Ldpinch trojans use their own Simple Mail Transfer Protocol (SMTP) engine or a web-based proxy for sending the e-mail, thus copies of the sent e-mail will not appear in the affected user's e-mail client.

John T. Haller
John T. Haller's picture
Offline
Last seen: 6 hours 58 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Picked Up

If this is a legitimate diagnosis, you picked up an infection from an infected PC and should handle it properly by disinfecting the PC (if it is infected) and then reinstalling the PortableApps.com Platform to the USB stick. You should then scan the drive to ensure no further infections remain.

There is no trojan in the PortableApps.com Platform itself (provided you download it from PortableApps.com directly, of course). Otherwise there would be tens of thousands of reports of it.

Sometimes, the impossible can become possible, if you're awesome!

ceciliaFX
ceciliaFX's picture
Offline
Last seen: 9 months 1 week ago
Joined: 2007-04-24 14:18
last week I got Ravmon.exe

from god knows where for the first time in my life. I know a friend gave me some files from his removable HD.....anyway, I found it immediately because I always have my 'hidden files' visible. I could tell immediately that something was wrong.

cleaned it with ClamWin. worked perfectly

http://anoop-aravindan.blogspot.com/2007/11/virus-w32rjumpworm-ravmonexe...

for more detail on this virus/trojan

"No one man can terrorize a whole nation unless we are all his accomplices." - Edward R. Murrow

OliverK
OliverK's picture
Offline
Last seen: 4 years 4 months ago
Developer
Joined: 2007-03-27 15:21
at least he was kind enough

at least he was kind enough to tell you how to fix it.

Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world

ceciliaFX
ceciliaFX's picture
Offline
Last seen: 9 months 1 week ago
Joined: 2007-04-24 14:18
if you are talking to me

no, my friend did not even know about the infection. I noticed something was wrong on my system, booted into Linux to be able to access the Internet to investigate.

The reason I decided to mention this here is that this particular Trojan specifically attacks portable devices because it overwrites the Autorun.inf file and adds the RAVMON.EXE in the root directory of every partition it finds. It also adds other files in the system:windows dir

anyway, I have made every Autorun.inf file not writable. hopefully that may help (hard to say with windows). Pardon
plus, I have made clamwin come up immediately so I can check if there are issues immediately

this Ravmon thing is fairly benign, but I don't like anything on my machine

I'm sure this is not the only virus/trojan that attacks portable devices

"No one man can terrorize a whole nation unless we are all his accomplices." - Edward R. Murrow

OliverK
OliverK's picture
Offline
Last seen: 4 years 4 months ago
Developer
Joined: 2007-03-27 15:21
no. I meant the guy that

no. I meant the guy that wrote ravmon. And yeah, there's a bunch of stuff that is carried by USB. Conficker did that to I believe.

Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world

spg SCOTT
spg SCOTT's picture
Offline
Last seen: 13 years 3 months ago
Joined: 2008-08-26 14:11
These instructions usually

These instructions usually prevent the autorun infections

http://forum.avast.com/index.php?topic=48454.msg409061#msg409061

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

spg SCOTT
spg SCOTT's picture
Offline
Last seen: 13 years 3 months ago
Joined: 2008-08-26 14:11
Also, you haven't said what

Also, you haven't said what the actual file that is alerted on by MSE.

It seems that you are talking about the 'startportableapps.exe' file, are you?
(this file is, as John said, clean)

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

foyzul1988
Offline
Last seen: 15 years 11 months ago
Joined: 2008-10-23 09:49
No sorry, my mistake, I

No sorry, my mistake, I thought it would the PA Platform that is the issue, but it's not, now I realize this, I think it's the software application that I have downloaded from another website that had the trojan, so Portableapp's platform and it's application aren't issues.

Obviously I had made a mistake! I had assumed that the Portableapps platform 2.0 Beta 1 had something to do with it, sorry guys.

And obviously P.A is a freeware, trustworthy and trojan free. I didn't mean to go against P.A.

It's only these snidy and dodgy people who had sent me this from another website, which I'm not sure of, and I had placed it in my P.A folder, so it's NOT P.A fault!

God damn them cyber criminals! Trying to steal their victims without them knowing it!

And anyways people I think the new MICROSOFT SECURITY ESSENTIAL is a No.1 defender or anti-spyware that has been built than the previous!

So I recommend everyone to download this great defender from the Microsoft's official site.

Thanks to: P.A, in forum the supporter of P.A, and thank you Microsoft for saving my a**!

NathanJ79
NathanJ79's picture
Offline
Last seen: 5 years 8 months ago
Joined: 2007-07-31 15:07
2.0 beta 3 out

It should also be noted, however trivial, that 2.0 beta 1 is obsolete software and should be upgraded to 2.0 beta 3. Actually, the update check in the menu I just found a couple hours ago recommends "upgrading" to 1.5.2 from 2.0 beta 3, but that's beside the point. 1.5.2 is the latest version PortableApps.com "officially" recommends its users use, but 2.0 beta 3 serves as a means to experience the latest work on the project (latest as of July 2009 anyway).

Matter of fact, beta 2 and beta 3 were rushed out to patch issues in beta 1, so a move up to beta 3 is highly recommended.

Get 2.0 beta 3 here or 1.5.2 here (for the latter, it is recommended that you pick the "Platform Only" option and install your apps a la carte, as the bundled apps are outdated and may contain apps you neither need nor want. (Though if quickly setting up a gift for a friend in the form of a flash drive, Suite Standard is a good, quick option.)

Log in or register to post comments