Win32/Bifrose [Threat Name] go to Threat
Win32/Bifrose.ACI [Threat Variant Name]
Category | trojan |
Size | 398848 B |
Aliases | Backdoor.Win32.Bifrose.drls (Kaspersky) |
Backdoor:Win32/Bifrose (Microsoft) |
Short description
Win32/Bifrose.ACI installs a backdoor that can be controlled remotely. The file is run-time compressed using IExpress, UPX .
Installation
When executed, the trojan creates the following files:
- %temp%\IXP%random%.TMP\server.exe (27517 B, Win32/Bifrose.ACI)
- %system%\晝vt\server.exe (27517 B, Win32/Bifrose.ACI)
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B7ABDAA0-C932-B55E-44D5-658EC0E97E59}]
- "stubpath" = "%system%\晝vt\server.exe s"
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]
- "nck" = "%variable1%"
- [HKEY_CURRENT_USER\SOFTWARE\Bifrost]
- "klg" = 0
- "nck" = "%variable1%"
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Bifrost]
- "delay" = "%variable2%"
- "plg1" = "%variable3%"
- "tor" = "%variable4%
A string with variable content is used instead of %variable1-4% .
The trojan may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B7ABDAA0-C932-B55E-44D5-658EC0E97E59}]
The trojan launches the following processes:
- %windir%\explorer.exe
- %defaultbrowser%
- %programfiles%\Internet Explorer\iexplore.exe
The trojan creates and runs a new thread with its own program code within the following processes:
- %windir%\explorer.exe
- 滞砩.exe
- %defaultbrowser%
- %programfiles%\Internet Explorer\iexplore.exe
Information stealing
The trojan collects the following information:
- computer IP address
- computer name
- user name
- volume serial number
- the path to specific folders
- information about the operating system and system settings
- current screen resolution
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan serves as a backdoor. It can be controlled remotely.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains an URL address. The TCP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send files to a remote computer
- send the list of running processes to a remote computer
- send the list of disk devices and their type to a remote computer
- send the list of files on specific drive to a remote computer
- create folders
- delete folders
- move files
- terminate running processes
- create Registry entries
- show/hide application windows
- log keystrokes
- uninstall itself
- stop itself for a certain time period
- capture screenshots
- capture webcam video/voice
- execute shell commands