Win32/Bifrose [Threat Name]
| Detection created | 2004-05-06 |
| World activity peak | 2008-07-16 (0.59 %) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %windir%\%variable1%\%variable2%.exe
- %system%\%variable1%\%variable2%.exe
- %programfiles%\%variable1%\%variable2%.exe
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{%variable3%}]
- "stubpath" = "%copiedfilepath% s"
This causes the trojan to be executed on every system start.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\%variable4%]
- "nck" = "%variable5%"
- [HKEY_CURRENT_USER\SOFTWARE\%variable4%]
- "klg" = 0
- "nck" = "%variable5%"
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\%variable4%]
- "delay" = "%variable6%"
- "plg1" = "%variable7%"
- "tor" = "%variable8%
A string with variable content is used instead of %variable1-8% .
The trojan may delete the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{%variable3%}]
The trojan launches the following processes:
- %windir%\explorer.exe
- %defaultbrowser%
The trojan creates and runs a new thread with its own code within these running processes.
Information stealing
Win32/Bifrose is a trojan that steals sensitive information.
The trojan collects the following information:
- computer IP address
- computer name
- user name
- volume serial number
- the path to specific folders
- information about the operating system and system settings
- current screen resolution
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan serves as a backdoor. It can be controlled remotely.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The TCP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send files to a remote computer
- send the list of running processes to a remote computer
- send the list of disk devices and their type to a remote computer
- send the list of files on a specific drive to a remote computer
- create folders
- delete folders
- move files
- terminate running processes
- create Registry entries
- show/hide application windows
- log keystrokes
- uninstall itself
- stop itself for a certain time period
- capture screenshots
- capture webcam video/voice
- execute shell commands
The trojan hides its running process.
Threat Variants with Description
| Threat Variant Name | Date Added | Threat Type | |
| Win32/Bifrose.ACI | 2007-01-25 | trojan | |
| Win32/Bifrose.NEL | 2008-08-29 | trojan | |
| Win32/Bifrose.NTA | 2009-09-29 | trojan |