Skip to content

Export page to PDF
Aliases: Wadolin, LdPinch
Malware type: Spyware
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003
In the wild: Yes


Infection Channel: Propagates via removable drives, Dropped by other malware, Downloaded from the Internet

LDPINCH malware are comprised of worms and Trojans noted for its information stealing routine. First strains of this malware family appeared in 2007.

Its variants are known to be downloaded from compromised sites. Its worm variants are known to spread via removable drives.

LDPINCH malware collect user information from programs commonly used for email, FTP, file sharing, browsing, and instant messaging. Some of the programs it collects data from are the following:

  • CuteFTP

  • Eudora

  • ICQ

  • Mozilla Firefox

  • Opera

  • Outlook

  • Trillian

Technical Details

Memory resident: Yes
Payload: Steals information


This spyware drops the following files:

  • {drive letter}\autorun.inf

It drops the following copies of itself into the affected system:

  • %System%\sisis.exe
  • {drive letter}\autorun.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

sisis = "%System%\sisis.exe"

Other System Modifications

This spyware creates the following registry entry(ies) to bypass Windows Firewall:

{malware path}\{malware name} = "{malware path}\{malware name}:*:Enabled:Enabled"

Other Details

This spyware connects to the following possibly malicious URL:

  • dnsf.{BLOCKED}
  • dwl.{BLOCKED}
  • {BLOCKED}.{BLOCKED}.110.78/pinch/gate.php
  • nnpyev.{BLOCKED}
  • pleven.{BLOCKED}
  • wcom.{BLOCKED}
  • web.{BLOCKED}
  • www.{BLOCKED}

Connect with us on