F-Secure Virus Descriptions : Bifrose
[Summary] | [Detailed Description] | [Detection]
Bifrose is a stealthy backdoor that allows remote access to infected machine.
It is usually installed to system by a trojan dropper.
Installation to system
When run, the backdoor copies itself under %SysDir% directory
using the name 'syspare.exe'. It installs the following registry
keys to make sure it will be executed next time the system is started:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"syspare.exe" = "syspare.exe"
[HKLM\Software\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}]
"stubpath.exe" = "syspare.exe"
The backdoor also creates the following registry key for storing
information:
[HKLM\Software\Wget]
Backdoor
After the installation, Bifrose tries to locate a running web browser
and inject code into it. The injected code is the actual backdoor. The
backdoor starts to communicate with the server part using specially crafted
HTTP queries. The server can instruct the backdoor to execute the following
actions:
Basic file operations (copy, delete, rename, find, execute)
Download/upload files
Process operations (list, kill)
Registry operations (create/delete keys/values)
Create screenshots of the desktop
[FSAV_Database_Version]
Version=2005-09-24_01
Technical Details:
Jarkko Turkulainen; October 4th, 2005;
F-Secure Corporation
|
