1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Exedapan Activity

System Infected: Backdoor.Exedapan Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects Backdoor.Lancafdo activity that opens a back door and may download more files on to the compromised computer.

Additional Information

When the Trojan is executed, it creates the following mutex so that only one instance of the Trojan is running on the compromised computer at a time:

Next, it creates the following files:

%System%/drivers/[RANDOM CHARACTERS].sys

Next, the Trojan creates a randomly named service and injects itself into the running process:

It registers itself as a service by creating registry entries under the following subkey:

The Trojan also creates the following registry subkey:

Next, it modifies the following registry entry:
HKEY_CURRENT_USER\.default\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Connections\"SavedLegacySettings" = "[BINARY DATA]"

It may then create the following registry entry:
HKEY_CURRENT_USER\.default\Software\Microsoft\Windows\CurrentVersion\InternetSettings\"ProxyEnable" = 0

The Trojan then attempts to send the following information, which may be encrypted, to a predetermined location:

Name of the compromised computer
Version of the Trojan


  • Windows 2000, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP


Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.
Delete any values added to the registry.

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube