AntiLamer Backdoor

· Overview ·
· Origins ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Alias:	Backdoor.Antilam.11, Backdoor.Antilam.12.a, Backdoor.Antilam.12.b, Backdoor.Antilam.14.a, Backdoor.Antilam.14.c, Backdoor.Antilam.20.a, Backdoor.Antilam.20.b, Backdoor.Antilam.20.k, Backdoor.Antilam.20.m, Backdoor.Antilam.g1, BackDoor-AED trojan, PWS-LamLite trojan
See Also:	AntiLamer Light · Latinus
Category:	RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.
Variants:	AntiLamer Backdoor 1.0 AntiLamer Backdoor 1.1 AntiLamer Backdoor 1.2 AntiLamer Backdoor 1.3 AntiLamer Backdoor 1.4 AntiLamer Backdoor 1.4b AntiLamer Backdoor 2.0 AntiLamer Backdoor 2.01 Based on source of Latinus
Similar Pests:	RAT
Origins
Author:	Over G
Group:	XS-TEAM
By This Group:	AntiLamer Backdoor 1.0 ·
URL:	http://www.overg.com
Programming Language:	Delphi Compressed with: UPX
Date of Origin:	Variants from April, 1998 to July, 2004
Place of Origin:	Russia
Operation
Default Port:	29559, 47891 TCP More info about ports.
Storage Required:	AntiLamer Backdoor 1.0: at least 429 KB AntiLamer Backdoor 1.1: at least 629 KB AntiLamer BackDoor 1.2: at least 633 KB AntiLamer Backdoor 1.3: at least 1677 KB AntiLamer Backdoor 1.4: at least 1601 KB AntiLamer Backdoor 1.4b: at least 445 KB AntiLamer BackDoor 2.0: at least 1681 KB AntiLamer BackDoor 2.01: at least 197 KB
Restart:	1-1.3: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MS Scandisk" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MS Scandisk" AntiLamer BackDoor 1.4 (c) Server: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MS Windows 32" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MS Windows 32" c:\windows\win.ini, [windows] "run" Autostarting Pests
ScreenShot:

AntiLamer BackDoor 1.0

AntiLamer BackDoor 1.1

AntiLamer BackDoor 1.2

AntiLamer BackDoor 1.3 (b)

AntiLamer BackDoor 1.3 (b)

AntiLamer BackDoor 1.4

AntiLamer BackDoor 1.4

Anti-Lamer BackDoor 2.0

Anti-Lamer BackDoor 2.0

Antilamer 2.0 (m)

Risks
Detection Issues:	Difficult to detect by design. May hide from process list. May install with variable names in variable locations.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Follow these steps to remove AntiLamer Backdoor from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
	Stop Running Processes: Kill these running processes with Task Manager: 9031a947a7baf96049166384d63698b9.exe 9bc1f483c002e547c76d291ce387bb2c.exe alb.exe backdoor.antilam.14.c.exe backdoor.antilam.20.a.exe eba4184bf94005bdda70809600a2a61f.exe editserver.exe edtsrv.exe joiner.exe new_alb.exe server.exe
	Remove AutoRun Reference: Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ms windows 32, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ms windows 32, delete it and reboot the machine immediately.
	Unregister DLLs: Unregister these DLLs with Regsvr32, then reboot: edit.dll
	Clean Registry: Remove these registry items (if present) with RegEdit: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ms windows 32 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ms windows 32
	Remove Files: Remove these files (if present) with Windows Explorer: 9031a947a7baf96049166384d63698b9.exe 9bc1f483c002e547c76d291ce387bb2c.exe alb.exe backdoor.antilam.14.c.exe backdoor.antilam.20.a.exe eba4184bf94005bdda70809600a2a61f.exe edit.dat edit.dll editserver.exe edtsrv.exe help.html joiner.exe new_alb.exe readme.html readme.txt server.exe
Research
File Analyses:	AntiLamer Backdoor 1.0: alb.exe · server.exe AntiLamer Backdoor 1.1: alb.exe · edtsrv.exe · help.html · readme.txt · server.exe AntiLamer BackDoor 1.2: alb.exe · editserver.exe · help.html · readme.txt · server.exe AntiLamer Backdoor 1.3: alb.exe · edtsrv.exe · readme.txt · server.exe AntiLamer Backdoor 1.4: 9bc1f483c002e547c76d291ce387bb2c.exe · alb.exe · backdoor.antilam.14.c.exe · joiner.exe · server.exe AntiLamer Backdoor 1.4b: 9031a947a7baf96049166384d63698b9.exe · eba4184bf94005bdda70809600a2a61f.exe · edit.dat · readme.html AntiLamer BackDoor 2.0: alb.exe · backdoor.antilam.20.a.exe · edit.dll · edtsrv.exe · new_alb.exe · server.exe AntiLamer Backdoor 2.01: edit.dll · server.exe
More Info:	AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	PestPatrol's Pest Research Center
Last Revised:	April 25, 2005