Backdoor.AntiLam

Printer Friendly Page

Discovered: June 10, 2002
Updated: June 12, 2002 5:12:32 PM
Systems Affected: Windows

Backdoor.AntiLam is a back door server program that allows a remote attacker to access the compromised system. The back door can also install a keylogger on the system.

Antivirus Protection Dates

  • Initial Rapid Release version June 07, 2002
  • Latest Rapid Release version January 15, 2018 revision 020
  • Initial Daily Certified version June 07, 2002 revision 003
  • Latest Daily Certified version January 15, 2018 revision 024

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Discovered: June 10, 2002
Updated: June 12, 2002 5:12:32 PM
Systems Affected: Windows

Backdoor.AntiLam is a typical back door server program that allows a remote user to perform various actions on a compromised host. The backdoor will create a copy of itself in the Windows directory. This name is configurable by the remote attacker, but in a default configuration is is Scandisk.exe.

It then creates a reference to the back door executable file in the following registry hive in order to execute it every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The backdoor will then typically open the following TCP ports for communication with the attacker. Port 47891 is used for direct control of the compromised system and port 29559 is used by the backdoor for transferring files.

It will initiate an HTTP connection to a remote website (configured by the attacker) and post the following information about the compromised system:
IP address
Username of the currently logged-in user
Operating system version
Computer name
Cached password

The back door allows the remote user to perform some of the following actions:
Copy, delete, upload, or download files
View running processes
Terminate processes
Shut down the system
Display messages
View the screen
Log keystrokes
Clear CMOS

This back door server is a clone of the back door server described as W32/Latinus (MCID 429) and may be detected as such by some antivirus products.