Discovered: June 10, 2002
Updated: June 12, 2002 5:12:32 PM
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Backdoor.AntiLam is a typical back door server program that allows a remote user to perform various actions on a compromised host. The backdoor will create a copy of itself in the Windows directory. This name is configurable by the remote attacker, but in a default configuration is is Scandisk.exe.
It then creates a reference to the back door executable file in the following registry hive in order to execute it every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The backdoor will then typically open the following TCP ports for communication with the attacker. Port 47891 is used for direct control of the compromised system and port 29559 is used by the backdoor for transferring files.
It will initiate an HTTP connection to a remote website (configured by the attacker) and post the following information about the compromised system:
IP address
Username of the currently logged-in user
Operating system version
Computer name
Cached password
The back door allows the remote user to perform some of the following actions:
Copy, delete, upload, or download files
View running processes
Terminate processes
Shut down the system
Display messages
View the screen
Log keystrokes
Clear CMOS
This back door server is a clone of the back door server described as W32/Latinus (MCID 429) and may be detected as such by some antivirus products.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine