Submission Summary:

• Submission details:
• Submission received: 6 November 2009, 15:09:22
• Processing time: 7 min 31 sec
• Submitted sample:
• File MD5: 0xADC41AD7D20A7B4715C961FB5DC6FB09
• File SHA-1: 0x4B1ED86F02698BAD416228E2936FE120C6D23724
• Filesize: 65,536 bytes
• Alias:
• Trojan.Generic [PCTools]
• Trojan Horse [Symantec]
• Generic Proxy!m [McAfee]
• TrojanProxy:Win32/Dosenjo.C [Microsoft]
• Trojan-Proxy.Win32.Dosenjo [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.LdPinch	Trojan.LdPinch steals passwords, system information and other data from a number of popular applications including ICQ, Trillian and AOL Instant Messenger. This information is then sent to a remote site or email.

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\csrss.exe [file and pathname of the sample #1]	65,536 bytes	MD5: 0xADC41AD7D20A7B4715C961FB5DC6FB09 SHA-1: 0x4B1ED86F02698BAD416228E2936FE120C6D23724	Trojan.Generic [PCTools] Trojan Horse [Symantec] Generic Proxy!m [McAfee] TrojanProxy:Win32/Dosenjo.C [Microsoft] Trojan-Proxy.Win32.Dosenjo [Ikarus]
2	%Temp%\csrss1.dll %System%\csrss1.dll	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)

• Notes:
• %CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
csrss.exe	%CommonAppData%\csrss.exe	135,168 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	135,168 bytes

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss]
• DllName = "csrss1.dll"
• Logon = "StrtPrc"
• Impersonate = 0x00000000
• Asynchronous = 0x00000000

so that csrss1.dll is installed as a Winlogon notification package

• [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion]
• SvchostVersion = "1"
• SvchostID = "5959T5j9b6njf821"
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
• SvchostVersion = "1"
• SvchostID = "5959T5j9b6njf821"

Other details

• To mark the presence in the system, the following Mutex object was created:
• KfqnfxqxWXWXWXWXqwqwqwqwq2222

• The following port was open in the system:

• The following Internet Connection was established: