Threat Description



Aliases: Backdoor:W32/Bifrose, Backdoor.Win32.Bifrose
Category: Malware
Type: Backdoor
Platform: W32


A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

Backdoor:W32/Bifrose is large family of Remote Administration Tools (RAT) that can be exploited by remote users to gain control over a system on which the program is installed.

The backdoor has the following functionalities:

  • File Manager
  • Process Manager
  • Keylogger
  • Screen capture
  • Cam capture
  • Remote shell
  • Registry editor
  • Find passwords

The program also has the following server options:

  • Can connect through Socks 4 proxies.
  • Able to user TOR plugin, useful for hiding the network activity
  • Persistent server option (if the file is deleted, it will rewrite itself again to the disc and registry)
  • Able to inject itself to user defined processes
  • Can include plugins pack for more functionality
  • Offline keylogger

The server is usually installed in to following folders:

  • %Program Files%
  • %System%
  • %Windir%

After the installation, Bifrose tries to locate a running web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the server part using specially crafted HTTP queries. The server can instruct the backdoor to execute the following actions:

  • Basic file operations (copy, delete, rename, find, execute)
  • Download/upload files
  • Process operations (list, kill)
  • Registry operations (create/delete keys/values)
  • Create screenshots of the desktop

During installation, the following registry key is created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1D04E0BB-B63D-8FA6-6553-5E619BB865DB} stubpath = "C:\Program Files\Bifrost\server.exe"

Where {1D04E0BB-B63D-8FA6-6553-5E619BB865DB}is always random.

and the usual mutex name used is:

  • Bif123 (user defined)

The backdoor also creates the following registry key for storing information:

  • [HKLM\Software\Wget]


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More