Backdoor.Lanfilt

Symantec Security Response - Backdoor.Lanfilt

Backdoor.Lanfilt is a backdoor Trojan that allows a hacker to gain access to the computer. The hacker can then delete, copy, and execute files and perform other actions. It attempts to terminate the process of security software, such as antivirus, firewall, and system-monitoring programs.

Type: Trojan Horse
Infection Length: 229,394 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, Unix, Linux

technical details

When Backdoor.Lanfilt runs, it does the following:

It copies itself as C:\%windir%\Run322.exe

NOTE: %windir% is a variable. The Trojan locates the Windows installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.

It adds the value

System C:\%windir%\run322.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs when you start Windows.

It creates a log file named C:\001.sys.

The Trojan opens three TCP ports to allow the hacker to remotely control the infected computer.

It attempts to terminate the process of security software, such as antivirus, firewall, and system-monitoring programs.

The Trojan's functionality allows the hacker to perform the following actions:

• Deliver system and network information to the hacker, including login names and cached network passwords.
• Run executable files.
• Create and delete folders.
• Shut down, restart, and log off Windows.
• Open or close the CD-ROM drive.
• Switch the monitor off and on.
• Steal configurations and passwords for AOL Instant Messenger, ICQ Messenger, and MSN Messenger.

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

• 
  1. Update the virus definitions.
  2. Run a full system scan, and delete all files that are detected as Backdoor.Lanfilt, and delete C:\001.sys.
  3. Delete the value
  
  System C:\%windir%\run322.exe
  
  from the registry key
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To delete the value that the Trojan added to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

• 
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the key
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  4. In the right pane, delete the value
  
  System C:\%windir%\run322.exe
  
  5. Exit the Registry Editor.