1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Bifrose.SN

Bifrose.SN

Alias:Backdoor.Win32.Bifrose.sn
Type:Backdoor
Category:Trojan
Platform:Win32

Summary

Bifrose.SN is a variant of the Bifrose family of backdoors.

Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Additional Details

Installation to the System

When run, Bifrose.SN copies itself under %SysDir% directory using the name winampxp.exe. It installs the following registry key to make sure it will be executed next time the system is started:
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "startkey" = "winampxp.exe"

Backdoor Functions

After the installation, Bifrose.SN tries to locate a web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the following servers using a specially crafted HTTP queries:
  • bfrost.gardenparadise.co.uk:4444
  • zingg.no-ip.org:4444
  • zingg2.no-ip.org:4444

The servers can instruct the backdoor to execute the following actions:

  • Basic file operations (copy, delete, rename, find, execute)
  • Download/upload files
  • Process operations (list, kill)
  • Registry operations (create/delete keys/values)
  • Create screenshots of the desktop

Detection

F-Secure Anti-Virus detects this malware with the following updates:


[FSAV_Database_Version]
Version = 2006-06-07_01.