Skip navigation.
Home

New Graybird.Trojan variant

Stumbled across a new variant of the Graybird trojan last night. Overall it seems to be pretty standard. It drops a file called prsvr.exe (a copy of itself) in the system32 directory. It also creates a small batch file called DELME.bat that it uses to delete the initial .exe file. It creates multiple startup entries in the registry, almost all of which can be identified by searching for "prsvr.exe" or "Procedure Distribution Service".

On the network side of the house it sends out some DNS lookup requests for 44384.ipread.com, which resolves to 218.28.29.141 (a netblock in China). It then tries to connect to this IP on port 8000, presumably to download the next stage. Alas for this critter this system seems to have been cleaned since all it gets back are RST packets.

On the "cool points" side it is using .DLL injection to hide the prsvr.exe process. Pity it doesn't do too good of a job of it. The process is visible for about 20 seconds before the injection kicks in. Also, while it's firing off SYN packets it spawns an instance of IE that is readily visible using Process Explorer or your favorite process monitoring tool of choice.

The MD5 sum for this critter is bcd0775ca686c5aea68ce549022b294a

Cheers!

-cdh