Backdoor.Lolok

Symantec Security Response - Backdoor.Lolok

Backdoor.Lolok is a backdoor Trojan that uses the mIRC client to give a hacker access to the computer. By default, it establishes an IRC connection to irc.tu-pac.net on port 9876.

Type: Trojan Horse
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, Unix, Linux

technical details

Backdoor.Lolok typically arrives in an email message or is presented for download over an IRC channel. It may be disguised as a video file.

When Backdoor.Lolok runs, it does the following:

It creates the file

%windir%\Temp\Irsetup.exe

and the subfolder

%windir%\System\Helpus

where it places the remainder of the files that it creates.

NOTE: %windir% is a variable. The Trojan locates the Windows installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.

Backdoor.Lolok creates the value

Systen %windir%\SYSTEM\HELPUS\INTIRNAT.EXE

in the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs each time that you start Windows.

NOTE: The value "Systen" is spelled as shown.

Backdoor.Lolok also modifies the run= line of the Win.ini file to

run=c:\

By default, Backdoor.Lolok establishes an IRC connection to irc.tu-pac.net on port 9876. It then sends a notification message to the hacker.

This allows the hacker to send commands to the backdoor, which then carries out the commands. For example, it can upload and download files, execute scripts, and so on.

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

• 
  1. Update the virus definitions.
  2. Run a full system scan, and delete all files that are detected as Backdoor.Lolok.
  3. Uninstall mIRC from the Windows Control Panel, as well as the %windir%\System\Helpus folder if you are prompted. (You may have to delete this folder manually.)
  4. Delete the value
  
  %windir%\System\Helpus
  
  from the registry key
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  5. (Windows 95/98/Millenium only) Remove the text that the Trojan added to the Win.ini file.

To uninstall mIRC and delete the Helpus folder:

• 
  1. Open the Windows Control panel, and click Add/Remove.
  2. Remove mIRC, and follow the prompts. If you are prompted to delete the %windir%\System\Helpus folder, click Yes.
  3. Use Windows Explorer to browse to %windir%\System, and see whether the \Helpus folder still exists. If so, delete it.

To delete the value that the Trojan added to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

• 
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the key
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  4. In the right pane, delete the value
  
  %windir%\System\Helpus
  
  5. Exit the Registry Editor.

To remove the text that the Trojan added to the Win.ini file:
This is necessary only on Windows 95/98/Millenium-based computers.

NOTE for Windows Me users only: Due to the file-protection process in Windows Me, a backup copy of the file that you are about to edit exists in the C:\Windows\Recent folder. Symantec recommends that you delete this file before you continue with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.

• 
  1. Click Start, and click Run.
  2. Type the following, and then click OK.
  
  edit c:\windows\win.ini
  
  The MS-DOS Editor opens.
  
  NOTE: If Windows is installed in a different location, make the appropriate path substitution.
  
  3. In the [windows] section of the file, look for this entry:
  
  run=c:
  
  4. DeIete the =c: portion of the entry.
  5. Click File, and click Save.
  6. Click File, and click Exit.