Symantec Security Response - Backdoor.Lanfiltrator Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator. Also Known As: Backdoor.LanFiltrator.10 [KAV] Type: Trojan Horse Infection Length: 231,434 bytes, 607,240 bytes Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux technical details Many characteristics of Backdoor.Lanfiltrator are defined at the stage when it is produced by a hacker who is using the Trojan generator. When Backdoor.Lanfiltrator runs, it performs the following actions: It copies itself as a predefined name into the %windir% or the %system% folder. NOTES: %windir% is a variable. The Trojan locates the Windows installation folder (by default this is C:\Windows or C:\Winnt) and copies the file to that location. %system% is a variable. The Trojan locates the System folder and copies the file to that location. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). The Trojan creates the value <predefined value name> <path and file name> in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run so that the Trojan starts when you start Windows. The Trojan may install hook procedures into a hook chain to monitor the system for keyboard and mouse inputs. This permits Backdoor.Lanfiltrator to intercept keystrokes. The Trojan may also terminate the processes of many antivirus and firewall products. The commands allow the hacker to perform the following actions: Deliver system information to the hacker Perform annoying actions Intercept confidential information by hooking keystrokes Manage the installation of the Trojan Download and execute files Alter system parameters Perform a screen capture or a Web camera single-frame data capture Retrieve ICQ, MSN, and AIM instant messenger passwords Manage files and processes, and modify the registry Communicate with a server through an opened chat window removal instructions NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. 1. Update the virus definitions. 2. Run a full system scan, and delete all files that are detected as Backdoor.Lanfiltrator. 3. Delete the value that the Trojan added to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run To delete the value from the registry: CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions. 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, delete the value <name of the Trojan as detected by scan> <path and file name> 5. Exit the Registry Editor.