Virus:BDS/GrayBird.LE
Date discovered:21/09/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:384.835 Bytes
MD5 checksum:aba8e6611ab80E5d747b32464674faf6
VDF version:6.35.01.115
IVDF version:6.35.01.116 - Monday, August 21, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: BackDoor-ARR trojan
   •  Kaspersky: Backdoor.Win32.GrayBird.le
   •  Sophos: Troj/Bckdr-OXB
   •  Bitdefender: Backdoor.Graybird.FN


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops a file
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\Hacker.com.cn.ini



It deletes the initially executed copy of itself.



The following file is created:

%WINDIR%\uninstal.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download a file:

– The location is the following:
   • http://www.bfliao.27h.com/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Services\Windows XP Vista ]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%WINDIR%\Hacker.com.cn.ini"
   • "DisplayName"="Windows XP Vista "
   • "ObjectName"="LocalSystem"
   • "Description"="»Ò¸ë×Ó·þÎñ¶Ë³ÌÐò¡£Ô¶³Ì¼à¿Ø¹ÜÀí."

– [HKLM\SYSTEM\CurrentControlSet\Services\Windows XP Vista \
   Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\Windows XP Vista \
   Enum]
   • "0"="Root\LEGACY_WINDOWS_XP_VISTA________\0000"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_WINDOWS_XP_VISTA________\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="Windows XP Vista "

 Backdoor The following port is opened:

%PROGRAM FILES%\Internet Explorer\IEXPLORE.EXE on TCP port 8080 in order to provide an HTTP server.

Remote control capabilities:
    • Disable network shares
    • Enable network shares
    • Execute file

 Miscellaneous Mutex:
It creates the following Mutex:
   • Hacker.com.cn_MUTEX


Anti debugging
It checks if the following program is running:
   • SoftIce


 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PEPack

Description inserted by Monica Ghitun on Thursday, September 21, 2006
Description updated by Andrei Ivanes on Thursday, October 19, 2006

Back . . . .