Win32/Bifrose [Threat Name] go to Threat
Win32/Bifrose.NTA [Threat Variant Name]
Category | trojan |
Size | 891970 B |
Aliases | Trojan.Win32.Refroso.gveu (Kaspersky) |
Backdoor:Win32/Bifrose.AE (Microsoft) |
Short description
Win32/Bifrose.NTA installs a backdoor that can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %programfiles%/almalki/Explorer.EXE
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{747D9915-6324-9FC7-1320-BF71255C5EAC}]
- "stubpath" = "%programfiles%/almalki/Explorer.EXE"
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]
- "nck" = "%variable1%"
- [HKEY_CURRENT_USER\SOFTWARE\Bifrost]
- "klg" = 0
- "nck" = "%variable1%"
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Bifrost]
- "delay" = "%variable2%"
- "plg1" = "%variable3%"
- "tor" = "%variable4%
A string with variable content is used instead of %variable1-4% .
The trojan may delete the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{747D9915-6324-9FC7-1320-BF71255C5EAC}]
The trojan launches the following processes:
- %windir%\explorer.exe
- %orignalmalwarefilepath%
- %defaultbrowser%
The trojan creates and runs a new thread with its own code within these running processes.
Information stealing
Win32/Bifrose.NTA is a trojan that steals sensitive information.
The trojan collects the following information:
- computer IP address
- computer name
- user name
- volume serial number
- the path to specific folders
- information about the operating system and system settings
- current screen resolution
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan serves as a backdoor. It can be controlled remotely.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The TCP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send files to a remote computer
- send the list of running processes to a remote computer
- send the list of disk devices and their type to a remote computer
- send the list of files on a specific drive to a remote computer
- create folders
- delete folders
- move files
- terminate running processes
- create Registry entries
- show/hide application windows
- log keystrokes
- uninstall itself
- stop itself for a certain time period
- capture screenshots
- capture webcam video/voice
- execute shell commands