Discussion in 'malware problems & news' started by Randy_Bell, Dec 13, 2002.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Symantec Security Response - Backdoor.Lanfiltrator

    Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.

    Also Known As: Backdoor.LanFiltrator.10 [KAV]
    Type: Trojan Horse
    Infection Length: 231,434 bytes, 607,240 bytes
    Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
    Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux

    technical details

    Many characteristics of Backdoor.Lanfiltrator are defined at the stage when it is produced by a hacker who is using the Trojan generator.

    When Backdoor.Lanfiltrator runs, it performs the following actions:

    It copies itself as a predefined name into the %windir% or the %system% folder.


    • %windir% is a variable. The Trojan locates the Windows installation folder (by default this is C:\Windows or C:\Winnt) and copies the file to that location.
    • %system% is a variable. The Trojan locates the System folder and copies the file to that location. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    The Trojan creates the value

    <predefined value name> <path and file name>

    in the registry key


    so that the Trojan starts when you start Windows.

    The Trojan may install hook procedures into a hook chain to monitor the system for keyboard and mouse inputs. This permits Backdoor.Lanfiltrator to intercept keystrokes. The Trojan may also terminate the processes of many antivirus and firewall products.

    The commands allow the hacker to perform the following actions:

    • Deliver system information to the hacker
    • Perform annoying actions
    • Intercept confidential information by hooking keystrokes
    • Manage the installation of the Trojan
    • Download and execute files
    • Alter system parameters
    • Perform a screen capture or a Web camera single-frame data capture
    • Retrieve ICQ, MSN, and AIM instant messenger passwords
    • Manage files and processes, and modify the registry
    • Communicate with a server through an opened chat window

    removal instructions

    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    • 1. Update the virus definitions.
      2. Run a full system scan, and delete all files that are detected as Backdoor.Lanfiltrator.
      3. Delete the value that the Trojan added to the registry key


    To delete the value from the registry:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

    • 1. Click Start, and click Run. The Run dialog box appears.
      2. Type regedit and then click OK. The Registry Editor opens.
      3. Navigate to the key


      4. In the right pane, delete the value

      <name of the Trojan as detected by scan> <path and file name>

      5. Exit the Registry Editor.
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    For anyone worried, TDS has near idiotic amounts of detection for this trojan - all memory scan methods detect this trojan as well as normal file detection of 11 :eek: beta versions before the 1.0 release :)
  3. Gladiator

    Gladiator Guest

    With a Memory Scan it's not difficult to detect packed/encrypted trojans cuz the are in RAW Format in the Memory

    -> Enumarete all Processes and make a loop for each process:

    ; Very simple example
    ; dump process and fix section headers...

    ; Note: take care of Win98 / NT system with memory management...
    ;So you should add a "IF OSisNT" for memory releated things

    invoke VirtualAlloc, 0, SizeOfImage, MEM_COMMIT, PAGE_READWRITE
    mov ptrSourceMap, eax

    ; dump image
    invoke ReadProcessMemory, procinf.hProcess, Your_ImageBase, ptrSourceMap, SizeOfImage, addr hSourceFileMap

    ; set new entrypoint (here you can do some changes if nec.)
    mov edi, ptrSourceMap
    add edi, (IMAGE_DOS_HEADER ptr [edi]).e_lfanew
    push   YOUR_RealEntry
    pop (IMAGE_NT_HEADERS ptr [edi]).OptionalHeader.AddressOfEntryPoint

    ; fix section headers (if nec.)
    mov edi, ptrSourceMap
    add edi, SetionHeaderPtr
    mov ecx, NumberOfSect
    push (IMAGE_SECTION_HEADER ptr [edi]).VirtualAddress
    pop (IMAGE_SECTION_HEADER ptr [edi]).PointerToRawData
    push (IMAGE_SECTION_HEADER ptr [edi]).Misc.VirtualSize
    pop (IMAGE_SECTION_HEADER ptr [edi]).SizeOfRawData
    dec ecx
    jz @F
    add edi, sizeof IMAGE_SECTION_HEADER
    jmp @B

    ; write fixed dump to disc :D
    invoke   CreateFile, pDestinationFile, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
    mov hSourceFile, eax
    invoke   VirtualFree, ptrSourceMap, UPX_SizeOfImage, MEM_DECOMMIT
    mov eax, 3
    invoke WriteFile, hSourceFile, ptrSourceMap, SizeOfImage, addr hSourceFileMap, 0
    invoke CloseHandle, hSourceFile
    invoke VirtualFree, ptrSourceMap, SizeOfImage, MEM_DECOMMIT

    ; ---> Scan DUMP (or scan it in the memory)

    ; terminate process (if backdoor)
    invoke GetExitCodeProcess, procinf.hProcess, addr hSourceFileMap
    invoke TerminateProcess, procinf.hProcess, hSourceFileMap
    invoke CloseHandle, procinf.hProcess
    invoke CloseHandle, procinf.hThread

    ; --- other things ---
    ; --- whoa and back :D ---
    xor eax, eax

    Dont forgot to make MapViewofFile :)

    the green guy :)
Thread Status:
Not open for further replies.