Backdoor.Graybird.N Trojan horse

[Brad]

Backdoor.Graybird.N is a Trojan horse that hides its presence on the compromised computer and downloads files from remote Web sites.

When Backdoor.Graybird.N

   1. Creates the following mutexes to control its execution:

          * GPigeon5_Shared_HIDE
          * GPigeon5_Shared
          * GPigeon5_Shared_MUTEX

   2. Register itself as a service with the name "yak tw", so that it is executed every time Windows starts:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Updata Server
      HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_WINDOWS_UPDATA_SERVER

   3. Creates a service with the following display name:

      yak tw

   4. Modifies the value:

      "Completed" = "01 00 00 00"

      in the registry subkey:

      HKEY_USERS\.Default\Software\Microsoft\Internet Connection Wizard

   5. Copies itself as Windir%\Server.exe

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

   6. Creates the following files:

          * %Windir%\Server.DLL
          * %Windir%\ServerKey.DLL
          * %Windir%\Server_Hook.DLL

            Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

   7. May also create the following file, depending on the number of running instances:

      %Windir%\Server_Hook[NUMBER].DLL

   8. Deletes the original file.

   9. Injects %Windir%\Server_Hook[NUMBER].DLL into all running processes, enabling the Trojan to hide its files from all processes.

  10. Starts a hidden Internet Explorer session and connects to the following Web site:

      [http://]sincooweb.com/[REMOVED]/ip.txt

  11. May steal confidential information or download other applications.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.n.html

To find and stop the service

   1. Click Start > Run.
   2. Type services.msc, and then click OK.
   3. Locate and select the service that was detected.
   4. Click Action > Properties.
   5. Click Stop.
   6. Change Startup Type to Manual.
   7. Click OK and close the Services window.
   8. Restart the computer.

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_USERS\.Default\Software\Microsoft\Internet Connection Wizard

   5. In the right pane, delete the value:

      "Completed" = "01 00 00 00"

   6. Navigate to and delete the subkeys:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Updata Server
      HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_WINDOWS_UPDATA_SERVER

   7. Exit the Registry Editor.