Backdoor.Antilam.g1

Symantec Security Response - Backdoor.Antilam.g1

Backdoor.Antilam.g1 is a Backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens ports 11831 and 29559 on the infected computer.

Also Known As: Backdoor.Antilam.g1 [KAV], BackDoor-AED [McAfee]
Type: Trojan Horse
Infection Length: 688,130 bytes
Systems Affected: Windows 95, Windows 98, Windows ME
Systems Not Affected: Windows NT, Windows 2000, Windows XP, Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux

technical details

Backdoor.Antilam.g1 is a variant of Backdoor.Antilam. When Backdoor.Antilam.g1 runs, it performs the following actions:

It copies itself as%system%\Foto.exe.

NOTE: %system% is a variable. The Trojan locates the locates the System folder and copies itself to that location. By default this is C:\Windows\System (Windows 95/98/Millenium), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

It creates the value

foto C:\WINDOWS\SYSTEM\foto.exe

in the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan starts when you start Windows.

The Trojan attempts to disable some antivirus and firewall programs by terminating their processes.

If the operating system is Windows 95/98/Millenium, the Trojan registers itself as a service process, so that it continues to run after you log off. In this case, Backdoor.Antilam.g1 closes only when the system is shut down.

In addition, Backdoor.Antilam.g1 attempts to obtain access to the password cache that is stored on the local computer. The cached passwords include modem and dial-up passwords, URL passwords, share passwords, and others.

Once installed, Backdoor.Antilam.g1 waits for commands from the remote client. The commands allow the hacker to perform any of the following actions:

[*]Deliver system and network information to the hacker.
[*]Intercept confidential information by hooking keystrokes.
[*]Manage the installation of the backdoor Trojan.
[*]Download and execute files.
[*]Alter many system parameters such as screen resolution and system colors.
[*]Use a known vulnerability on Windows 95/98/Millenium to cause the system to crash.

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Run a full system scan, and delete all files that are detected as Backdoor.Antilam.g1.
3. Delete the value

foto C:\WINDOWS\SYSTEM\foto.exe

from the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To delete the value that the Trojan added to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the value

foto C:\WINDOWS\SYSTEM\foto.exe

5. Exit the Registry Editor.

NOTE: You may need to reinstall your antivirus or firewall products.