Lost Door is a backdoor trojan horse family of more than 10 variants which can infect Windows operating systems from 95 to XP. It was created by OussamiO and built using Visual Basic. It uses the typical server, server builder, and client backdoor program configuration to allow a remote user, who uses client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor). The server component (75,053 bytes) when running, connects to a predefined IP address on TCP port 2185, awaiting commands from the remote user who uses the client component can execute arbitrary code at will on the compromised machine.
Features
Lost Door allows many malicious actions on the victim's machine. Some of its abilities include:
- Reverse connection
- Webcam shot
- Date and time manager
- printer
- Control panel
- PC control
- Executor
- Dos command
- Windows manager
- Screen shot
- Remote server manager
- Server remover
- Ip Grabber
- Server Downloader
- Icon Changer
- Audio Streaming
- Encrypt Settings
- Volume Control
- Connection Logs
- Installed Application
- Infect All USB
- Multilanguage
- Services Viewer
- Remote passwords
- MSN Controller
- Remote Shell
- Chat with server
- Send fake messages
- files manager
- Find files
- Change remote screen resolution
- Information about remote computer
- Clipboard manager
- Internet Explorer options
- Running Process
- Online key-logger
- Offline keylogger
- Fun Menu
Infection Method
Lost Door has a server creator with features that allow it to be undetected by antivirus and firewall software, and also allow it to stealthily run in the background. The software only runs completely (including rootkit) in Windows XP/2000. Such features include disabling security software, removing and disabling system restore points, and displaying a fake error message to mislead the victim.
This version is now detectable by ESET NOD32 Antivirus. For other AV's, I have not checked.
Server
Dropped Files:
c:\WINDOWS\system32\dlllhost.exe
Size: 129,808 bytes
Added to Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Winupdate"
Data: C:\WINDOWS\system32\dlllhost.exe
REFERENCES
- http://www.checkpoint.com/defense/advisories/public/2009/cpai-30-Mar.html
- http://www.megasecurity.org/trojans/l/lostdoor/Lostdoor_all.html
- http://www.techmantras.com/content/lost-door-32-rat
Too lazy to say Thanks or comment here? Why not too lazy to read my post?? If you like this post and want us to post similar articles, Pls give us a feedback and leave a comment here.
No comments:
Post a Comment