Pinch 1.0
(Trojan-PSW.LdPinch.p)

by Coban2k

Written in Assembly, Source included

Released in October 2003

Made in Russia

more versions


Features:
- ICQ99b-2003a/Lite/ICQ2003Pro 
- Miranda-icq 
- Trillian ICQ&AIM 
- &RQ 
- The Bat!, The Bat! 2 (mailer) 
- Outlook/Outlook Express (pop3/imap) 
- IE autocomplete & protected sites & ftp (9x/Me/2k/xp supported) 
- FAR Manager (ftp) 
- Win/Total Commander (ftp) 
- RAS (9x/Me/2k/xp supported) 
- System info: OS, memory, CPU, hard drives, logged user, host name, IP 
- Key-log 
- Remote console 
- Firewall bypass
- Sends e-mail using SMTP server 
- E-mail messages are encrypted (if an attacker will steal your e-mail account he will not be able to see received passwords) 
- Deleting itself (optional) 
- HTML/Text reports 
- Size of executable about 10Kb (don't tell me that it's impossible :P) 
- Module system, some modules can be excluded to reduce the output size 
- More features on your request 

-------------------------------------------------------------------------------

Directory list:
1. Sources\HTTP - sources of cgi-gate which let you build an exe file from 
web (w32 + Apache required). HTML page sources are in Russian language,
also it was configured to run on my machine (paths, etc), so you have to
modify sources manually.

2. Sources\ParserOnly - sources of pinch parser (decryptor) w/o configurator.

3. Pinch - main asm sources + masm32 compilator

4. Sources\PinchBuilder - sources of pinch parser + configurator.

5. Sources\TB! - parsing plugin for The Bat 2! (mailer) (it decrypts messages on the fly, while receiving).

6. Sources\Script - a script which is used on the HTTP server, required for bypassing firewalls.

-------------------------------------------------------------------------------

Run PinchBuilder.exe to compile a new version of trojan, always check SMTP server 
before compilation. 
Run Parser.exe to decrypt incoming messages.

-------------------------------------------------------------------------------

Q: Why it's so small?
A: Pinch doesn't actually decrypts passwords, it just retrieves hashes, after
they are decrypted using Pinch Parser (Parser.exe).

-------------------------------------------------------------------------------

Q: Bypassing firewalls (zonealarm, outpost, etc)?
A: There's a posibility to bypass firewalls using hidden IE window. In this
case Pinch will require an additional HTTP server to send passwords to. You have
to build Pinch with 'HTTP protocol' option enabled, take a look at view.php file
from 'script' folder for a script example.

Coban2k


Server:
dropped file:
c:\WINDOWS\PINCH.EXE 

size: 8.944 bytes 

startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "putil" 

MegaSecurity