1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Exedapan Activity

System Infected: Backdoor.Exedapan Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Backdoor.Lancafdo activity that opens a back door and may download more files on to the compromised computer.

Additional Information

When the Trojan is executed, it creates the following mutex so that only one instance of the Trojan is running on the compromised computer at a time:
{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A623}

Next, it creates the following files:

%System%/drivers/[RANDOM CHARACTERS].sys
%System%/drivers/str.sys



Next, the Trojan creates a randomly named service and injects itself into the running process:
%System%\svchost.exe

It registers itself as a service by creating registry entries under the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]

The Trojan also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM CHARACTERS]

Next, it modifies the following registry entry:
HKEY_CURRENT_USER\.default\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Connections\"SavedLegacySettings" = "[BINARY DATA]"

It may then create the following registry entry:
HKEY_CURRENT_USER\.default\Software\Microsoft\Windows\CurrentVersion\InternetSettings\"ProxyEnable" = 0

The Trojan then attempts to send the following information, which may be encrypted, to a predetermined location:

Name of the compromised computer
Version of the Trojan

Affected

  • Windows 2000, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

Response

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.
Delete any values added to the registry.

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube