Trojans Send Confidential Information to Hacker
Sophos Friday issued alerts for two Trojans, Troj/LDPinch-G and Troj/LDPinch-H, which send passwords and confidential information to a remote location and provides backdoor access to the computer.
When first run the Trojans move themselves to the Windows folder and add its pathname to the following registry entry, to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\putil
The Trojans periodically attempts to send confidential information to a remote location. The information includes:
computer details (OS version, memory, CPU etc.)
available drives (drive letter, type and free space)
hostname and IP address
Windows folder volume information
data stored in the registry by selected software
passwords and confidential information from 'Protected Storage'
POP3 and IMAP server information, usernames and passwords
FTP usernames and passwords
RAS dial-up settings
The Trojans then run continuously in the background providing backdoor access to the computer. In the case of the G variant, the trojan provides backdoor access to the computer on port 2050. A remote intruder will be able to connect to this port and receive a remote command shell.
The Trojans may also drop the file isfpr.dll to the Windows folder. This file is detected as Troj/Mimail-F.
Reproduced from an article published by Enterprise Planet
© Enterprise Planet
The original article can be viewed here:
http://www.enterpriseitplanet.com/security/news/article.php/3326011
Permalink Bookmark Digg this story
