Archive Helmet Icon Archive A Reconstructed © MegaSecurity Database

I Feel Lucky I Feel Very Lucky

Pinch 1.0

Released 22 years, 6 months ago. October 2003

Copyright © MegaSecurity

By Coban2k

Pinch 1.0
Informations
From Russia
Author Coban2k
Family Pinch
Category Information Stealer
Version Pinch 1.0
Released Date Oct 2003, 22 years, 6 months ago.
Language Assembly, Source included
Additional Information
Server:
dropped file:
c:\WINDOWS\PINCH.EXE 

size: 8.944 bytes 

startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "putil"

Author Information / Description
Features:
- ICQ99b-2003a/Lite/ICQ2003Pro 
- Miranda-icq 
- Trillian ICQ&AIM 
- &RQ 
- The Bat!, The Bat! 2 (mailer) 
- Outlook/Outlook Express (pop3/imap) 
- IE autocomplete & protected sites & ftp (9x/Me/2k/xp supported) 
- FAR Manager (ftp) 
- Win/Total Commander (ftp) 
- RAS (9x/Me/2k/xp supported) 
- System info: OS, memory, CPU, hard drives, logged user, host name, IP 
- Key-log 
- Remote console 
- Firewall bypass
- Sends e-mail using SMTP server 
- E-mail messages are encrypted (if an attacker will steal your e-mail account he will not be able to see received passwords) 
- Deleting itself (optional) 
- HTML/Text reports 
- Size of executable about 10Kb (don't tell me that it's impossible :P) 
- Module system, some modules can be excluded to reduce the output size 
- More features on your request 

-------------------------------------------------------------------------------

Directory list:
1. Sources\HTTP - sources of cgi-gate which let you build an exe file from 
web (w32 + Apache required). HTML page sources are in Russian language,
also it was configured to run on my machine (paths, etc), so you have to
modify sources manually.

2. Sources\ParserOnly - sources of pinch parser (decryptor) w/o configurator.

3. Pinch - main asm sources + masm32 compilator

4. Sources\PinchBuilder - sources of pinch parser + configurator.

5. Sources\TB! - parsing plugin for The Bat 2! (mailer) (it decrypts messages on the fly, while receiving).

6. Sources\Script - a script which is used on the HTTP server, required for bypassing firewalls.

-------------------------------------------------------------------------------

Run PinchBuilder.exe to compile a new version of trojan, always check SMTP server 
before compilation. 
Run Parser.exe to decrypt incoming messages.

-------------------------------------------------------------------------------

Q: Why it's so small?
A: Pinch doesn't actually decrypts passwords, it just retrieves hashes, after
they are decrypted using Pinch Parser (Parser.exe).

-------------------------------------------------------------------------------

Q: Bypassing firewalls (zonealarm, outpost, etc)?
A: There's a posibility to bypass firewalls using hidden IE window. In this
case Pinch will require an additional HTTP server to send passwords to. You have
to build Pinch with 'HTTP protocol' option enabled, take a look at view.php file
from 'script' folder for a script example.

Coban2k

This archive is an almost-complete reconstruction of the legendary Mega Security (also known as Kobayashi), a premier 90s-era "Trojan Database" where malware authors once showcased their work. After a decade offline, the site was brought back in August 2024 by its original creator, MasterRat, who authorized the Malware Gallery to host this modernized, searchable version of the collection. While the original site remains available for those seeking a nostalgic, old-school experience, we are proud to continue its legacy here. Full credit and thanks go to MasterRat and the retired Mega Security staff for their years of dedicated work in cataloging these historical samples.