Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:14/03/2006
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:762.880 Bytes
MD5 checksum:78ca704d9450e10D2d5555ee75dfcbf3
VDF version:

 General Method of propagation:
   • No own spreading routine

   •  Symantec: Backdoor.Graybird
   •  Mcafee: BackDoor-AWQ
   •  Bitdefender: Backdoor.Graybird.GH

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\caner.exe

The following files are created:


It tries to download a file:

– The location is the following:

 Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\CanerServer
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=%WINDIR%\Caner.exe
   • "DisplayName"="CanerServer"
   • "ObjectName"="LocalSystem"
   • "Description"="ϵͳÄÚ´æ¼à¿Ø·þÎñ"

– [HKLM\SYSTEM\CurrentControlSet\Services\CanerServer\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\CanerServer\Enum]
   • "0"="Root\\LEGACY_CANERSERVER\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

 Backdoor Contact server:
The following:
   • %IP address taken from downloaded file%

As a result it may send information and remote control could be provided.

 Injection – It injects itself into a process.

    Process name:

 Miscellaneous Mutex:
It creates the following Mutex:

 File details Programming language:
The malware program was written in Delphi.

Description inserted by Victor Tone on Tuesday, March 14, 2006
Description updated by Victor Tone on Wednesday, March 15, 2006

Back . . . .