Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:W32/Bifrose


Aliases:


Backdoor:W32/Bifrose
Backdoor.Win32.Bifrose

Malware
Backdoor
W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Backdoor:W32/Bifrose is large family of Remote Administration Tools (RAT) that can be exploited by remote users to gain control over a system on which the program is installed.

The backdoor has the following functionalities:

  • File Manager
  • Process Manager
  • Keylogger
  • Screen capture
  • Cam capture
  • Remote shell
  • Registry editor
  • Find passwords

The program also has the following server options:

  • Can connect through Socks 4 proxies.
  • Able to user TOR plugin, useful for hiding the network activity
  • Persistent server option (if the file is deleted, it will rewrite itself again to the disc and registry)
  • Able to inject itself to user defined processes
  • Can include plugins pack for more functionality
  • Offline keylogger

Installation

The server is usually installed in to following folders:

  • %Program Files%
  • %System%
  • %Windir%

After the installation, Bifrose tries to locate a running web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the server part using specially crafted HTTP queries. The server can instruct the backdoor to execute the following actions:

  • Basic file operations (copy, delete, rename, find, execute)
  • Download/upload files
  • Process operations (list, kill)
  • Registry operations (create/delete keys/values)
  • Create screenshots of the desktop

Registry

During installation, the following registry key is created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1D04E0BB-B63D-8FA6-6553-5E619BB865DB} stubpath = "C:\Program Files\Bifrost\server.exe"

Where {1D04E0BB-B63D-8FA6-6553-5E619BB865DB}is always random.

and the usual mutex name used is:

  • Bif123 (user defined)

The backdoor also creates the following registry key for storing information:

  • [HKLM\Software\Wget]






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free