Upon execution, this backdoor program drops a copy of itself as G_Server2006.exe in the Windows system folder. This file's attributes are set to Hidden, Read-only, and System to prevent detection.
This backdoor program also drops its component files, which are as follows, in the same folder:
G_Server2006.DLL
G_Server2006Key.DLL
To ensure its automatic execution at every system startup, it registers itself as a service by creating the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\GrayPigeonServer
ImagePath = "%Windows%\G_Server2006.exe"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Backdoor Routine
This backdoor program opens varying ports and allows a remote malicious user to perform the following commands on affected machines:
Create files in any folder
Create registry entries
Create threads
Download files from the Internet
Get disk status
Inject processes
Log keystrokes
Start or terminate services and processes
Affected Platforms
This backdoor program runs on Windows 95, 98, ME, NT, 2000, XP, and Server 2003.
