Graybird, also known as Backdoor.Graybird (along with having other variants of itself) is a Trojan on Microsoft Windows that infects users through an internet connection.


The Trojan adds files downloaded from remote websites to the registry to help its creator gain unauthorized access to the user's computer. The Trojan steals information that is entered or saved by the user. 

To stay hidden, it hides itself in currently running programs so it cannot be detected easily, it also deletes the file that it was run from. It terminates itself if it detects that it is being run on a virtual machine to try to hide from antivirus companies from researching its behavior.

The virus can record keystrokes, extract passwords from password cache, install a remote FTP server on machine, steal PC information and send it to the virus author and download and execute files.

It affects Windows variations from Windows 98 to Windows Vista.

It creates these files on the System folder, depending on variant:

  • Svch0st.exe
  • Winlogon.exe
  • Explorer.exe
  • ravmond.exe

Creates these values ("value" = "content"):

  • "svchost" = "%System%\Svch0st.exe"
  • "winlogon" = "%System%\Winlogon.exe"
  • "system" = "%System%\Explorer.exe"
  • "ravmond" = "%System%\Explorer.exe"

Under these keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

If the system is Windows NT, adds one of these values:

  • "run" = "%system%\svch0st.EXE"
  • "run" = "%system%\ravmond.exe"

Under this key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

If the system is Windows 98, adds the value "C:\WINDOWS\SYSTEM\SVCH0ST.EXE" to "run" value in "win.ini".

Community content is available under CC-BY-SA unless otherwise noted.