Threat Description

Bifrose.SN

Details

Aliases: Bifrose.SN, Backdoor.Win32.Bifrose.sn
Category: Malware
Type: Backdoor
Platform: W32

Summary



Bifrose.SN is a variant of the Bifrose family of backdoors.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Installation to the System

When run, Bifrose.SN copies itself under %SysDir% directory using the name winampxp.exe. It installs the following registry key to make sure it will be executed next time the system is started:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"startkey" = "winampxp.exe"

Backdoor Functions

After the installation, Bifrose.SN tries to locate a web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the following servers using a specially crafted HTTP queries:

  • bfrost.gardenparadise.co.uk:4444
  • zingg.no-ip.org:4444
  • zingg2.no-ip.org:4444

The servers can instruct the backdoor to execute the following actions:

  • Basic file operations (copy, delete, rename, find, execute)
  • Download/upload files
  • Process operations (list, kill)
  • Registry operations (create/delete keys/values)
  • Create screenshots of the desktop


Detection


F-Secure Anti-Virus detects this malware with the following updates:
Database: 2006-06-07_01




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More