Win32/Bifrose [Threat Name] go to Threat
Win32/Bifrose.NEL [Threat Variant Name]
| Category | trojan |
| Size | 111616 B |
| Aliases | Backdoor:Win32/Bifrose.AE (Microsoft) |
| Infostealer (Symantec) | |
| Win32:Midgare-WV (Avast) | |
| Trojan.Dropper.SAG (BitDefender) |
Short description
Win32/Bifrose.NEL installs a backdoor that can be controlled remotely. The file is run-time compressed using IExpress, UPX .
Installation
When executed, the trojan creates the following files:
- %temp%\IXP%random%.TMP\server.exe (32669 B, Win32/Bifrose.NEL)
- %programfiles%\Bifrost\server.exe (32669 B, Win32/Bifrose.NEL)
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4db90836}]
- "stubpath" = "%programfiles%\Bifrost\server.exe s"
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]
- "nck" = "%variable1%"
- [HKEY_CURRENT_USER\SOFTWARE\Bifrost]
- "klg" = 0
- "nck" = "%variable1%"
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Bifrost]
- "delay" = "%variable2%"
- "plg1" = "%variable3%"
- "tor" = "%variable4%
A string with variable content is used instead of %variable1-4% .
The trojan may delete the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4db90836}]
The trojan launches the following processes:
- %windir%\explorer.exe
- %defaultbrowser%
The trojan creates and runs a new thread with its own code within these running processes.
Information stealing
Win32/Bifrose.NEL is a trojan that steals sensitive information.
The trojan collects the following information:
- computer IP address
- computer name
- user name
- volume serial number
- the path to specific folders
- information about the operating system and system settings
- current screen resolution
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan serves as a backdoor. It can be controlled remotely.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The TCP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send files to a remote computer
- send the list of running processes to a remote computer
- send the list of disk devices and their type to a remote computer
- send the list of files on a specific drive to a remote computer
- create folders
- delete folders
- move files
- terminate running processes
- create Registry entries
- show/hide application windows
- log keystrokes
- uninstall itself
- stop itself for a certain time period
- capture screenshots
- capture webcam video/voice
- execute shell commands