Backdoor.Lanfiltrator

Symantec Security Response - Backdoor.Lanfiltrator

Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.

Also Known As: Backdoor.LanFiltrator.10 [KAV]
Type: Trojan Horse
Infection Length: 231,434 bytes, 607,240 bytes
Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux

technical details

Many characteristics of Backdoor.Lanfiltrator are defined at the stage when it is produced by a hacker who is using the Trojan generator.

When Backdoor.Lanfiltrator runs, it performs the following actions:

It copies itself as a predefined name into the %windir% or the %system% folder.

NOTES:

• %windir% is a variable. The Trojan locates the Windows installation folder (by default this is C:\Windows or C:\Winnt) and copies the file to that location.
• %system% is a variable. The Trojan locates the System folder and copies the file to that location. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The Trojan creates the value

<predefined value name> <path and file name>

in the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan starts when you start Windows.

The Trojan may install hook procedures into a hook chain to monitor the system for keyboard and mouse inputs. This permits Backdoor.Lanfiltrator to intercept keystrokes. The Trojan may also terminate the processes of many antivirus and firewall products.

The commands allow the hacker to perform the following actions:

• Deliver system information to the hacker
• Perform annoying actions
• Intercept confidential information by hooking keystrokes
• Manage the installation of the Trojan
• Download and execute files
• Alter system parameters
• Perform a screen capture or a Web camera single-frame data capture
• Retrieve ICQ, MSN, and AIM instant messenger passwords
• Manage files and processes, and modify the registry
• Communicate with a server through an opened chat window

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

• 
  1. Update the virus definitions.
  2. Run a full system scan, and delete all files that are detected as Backdoor.Lanfiltrator.
  3. Delete the value that the Trojan added to the registry key
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To delete the value from the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

• 
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the key
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  4. In the right pane, delete the value
  
  <name of the Trojan as detected by scan> <path and file name>
  
  5. Exit the Registry Editor.

 

For anyone worried, TDS has near idiotic amounts of detection for this trojan - all memory scan methods detect this trojan as well as normal file detection of 11 beta versions before the 1.0 release

 

With a Memory Scan it's not difficult to detect packed/encrypted trojans cuz the are in RAW Format in the Memory

-> Enumarete all Processes and make a loop for each process:

; Very simple example
; dump process and fix section headers...

; Note: take care of Win98 / NT system with memory management...
;So you should add a "IF OSisNT" for memory releated things

invoke VirtualAlloc, 0, SizeOfImage, MEM_COMMIT, PAGE_READWRITE
mov ptrSourceMap, eax

; dump image
invoke ReadProcessMemory, procinf.hProcess, Your_ImageBase, ptrSourceMap, SizeOfImage, addr hSourceFileMap

; set new entrypoint (here you can do some changes if nec.)
mov edi, ptrSourceMap
add edi, (IMAGE_DOS_HEADER ptr [edi]).e_lfanew
push   YOUR_RealEntry
pop (IMAGE_NT_HEADERS ptr [edi]).OptionalHeader.AddressOfEntryPoint

; fix section headers (if nec.)
mov edi, ptrSourceMap
add edi, SetionHeaderPtr
mov ecx, NumberOfSect
@@:
push (IMAGE_SECTION_HEADER ptr [edi]).VirtualAddress
pop (IMAGE_SECTION_HEADER ptr [edi]).PointerToRawData
push (IMAGE_SECTION_HEADER ptr [edi]).Misc.VirtualSize
pop (IMAGE_SECTION_HEADER ptr [edi]).SizeOfRawData
dec ecx
jz @F
add edi, sizeof IMAGE_SECTION_HEADER
jmp @B
@@:

; write fixed dump to disc
invoke   CreateFile, pDestinationFile, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
mov hSourceFile, eax
.IF eax == INVALID_HANDLE_VALUE
invoke   VirtualFree, ptrSourceMap, UPX_SizeOfImage, MEM_DECOMMIT
popad
mov eax, 3
ret
.ENDIF
invoke WriteFile, hSourceFile, ptrSourceMap, SizeOfImage, addr hSourceFileMap, 0
invoke CloseHandle, hSourceFile
invoke VirtualFree, ptrSourceMap, SizeOfImage, MEM_DECOMMIT

; ---> Scan DUMP (or scan it in the memory)

; terminate process (if backdoor)
invoke GetExitCodeProcess, procinf.hProcess, addr hSourceFileMap
invoke TerminateProcess, procinf.hProcess, hSourceFileMap
invoke CloseHandle, procinf.hProcess
invoke CloseHandle, procinf.hThread

; --- other things ---
...
; --- whoa and back ---
popad
xor eax, eax
ret

Dont forgot to make MapViewofFile

Gladiator,
the green guy