Threat Description



Aliases:Backdoor:​W32/Bifrose, Backdoor.Win32.Bifrose


A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details

Backdoor:W32/Bifrose is large family of Remote Administration Tools (RAT) that can be exploited by remote users to gain control over a system on which the program is installed.

The backdoor has the following functionalities:

  • File Manager
  • Process Manager
  • Keylogger
  • Screen capture
  • Cam capture
  • Remote shell
  • Registry editor
  • Find passwords

The program also has the following server options:

  • Can connect through Socks 4 proxies.
  • Able to user TOR plugin, useful for hiding the network activity
  • Persistent server option (if the file is deleted, it will rewrite itself again to the disc and registry)
  • Able to inject itself to user defined processes
  • Can include plugins pack for more functionality
  • Offline keylogger


The server is usually installed in to following folders:

  • %Program Files%
  • %System%
  • %Windir%

After the installation, Bifrose tries to locate a running web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the server part using specially crafted HTTP queries. The server can instruct the backdoor to execute the following actions:

  • Basic file operations (copy, delete, rename, find, execute)
  • Download/upload files
  • Process operations (list, kill)
  • Registry operations (create/delete keys/values)
  • Create screenshots of the desktop


During installation, the following registry key is created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1D04E0BB-B63D-8FA6-6553-5E619BB865DB} stubpath = "C:\Program Files\Bifrost\server.exe"

Where {1D04E0BB-B63D-8FA6-6553-5E619BB865DB}is always random.

and the usual mutex name used is:

  • Bif123 (user defined)

The backdoor also creates the following registry key for storing information:

  • [HKLM\Software\Wget]


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More