Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Bifrose.SN


Aliases:


Bifrose.SN
Backdoor.Win32.Bifrose.sn

Malware
Backdoor
W32

Summary

Bifrose.SN is a variant of the Bifrose family of backdoors.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details


Installation to the System

When run, Bifrose.SN copies itself under %SysDir% directory using the name winampxp.exe. It installs the following registry key to make sure it will be executed next time the system is started:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"startkey" = "winampxp.exe"

Backdoor Functions

After the installation, Bifrose.SN tries to locate a web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the following servers using a specially crafted HTTP queries:

  • bfrost.gardenparadise.co.uk:4444
  • zingg.no-ip.org:4444
  • zingg2.no-ip.org:4444

The servers can instruct the backdoor to execute the following actions:

  • Basic file operations (copy, delete, rename, find, execute)
  • Download/upload files
  • Process operations (list, kill)
  • Registry operations (create/delete keys/values)
  • Create screenshots of the desktop


Detection

F-Secure Anti-Virus detects this malware with the following updates:
Database: 2006-06-07_01





Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free