Follow:

You have been re-routed to the Backdoor:Win32/Bifrose.IQ write up because Backdoor%3aWin32%2fBifrose.IQ has been renamed to Backdoor:Win32/Bifrose.IQ
 

Backdoor:Win32/Bifrose.IQ


Microsoft security software detects and removes this threat.

This backdoor trojan uses your computer in conjunction with many other infected computers to launch attacks against certain IT companies. These attacks are designed to cripple those companies' abilities to run properly, and are known as distributed denial of service (DDoS) attacks. The trojan also attempts to download and run other files, which may be malware.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

When run, Backdoor:Win32/Bifrose.IQ drops a copy of itself with the file name cachemgr.exe, under the directory c:\setup.

Backdoor:Win32/Bifrose.IQ modifies the following registry entries to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\2CBE016A-8F28-4E0C-83A6-6079161294D7
Sets value: StubPath
With data: C:\setup\cachemgr.exe -ax

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: StubPath
With data: C:\setup\cachemgr.exe -as

The trojan also creates a text file with the name csetup.txt in the C:\setup folderThis text file contains the dates that the trojan is run.

Payload

Performs distributed denial of service (DDoS) attacks

Backdoor:Win32/Bifrose.IQ  attempts to use your computer to perform distributed denial of service (DDoS) attacks against certain IT companies.

Downloads other files (which may be malware)

When installed on your computer, Backdoor:Win32/Bifrose.IQ attempts to access and download files from secure-system-updates.net/<removed>/system/update.php. The URL is no longer available, so we are unable to confirm the nature of the downloaded files.

Additional information

Backdoor:Win32/Bifrose.IQ creates the following mutexes, possibly as an infection marker to prevent multiple instances running on your computer:

  • 2CBE016A-8F28-4E0C-83A6-6079161294D7
  • Bif123

Analysis by Justin Kim


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files: 

    C:\setup\cachemgr.exe
    C:\setup\csetup.txt

  • The presence of the following registry modifications:

    In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\2CBE016A-8F28-4E0C-83A6-6079161294D7
    Sets value: StubPath
    With data: C:\setup\cachemgr.exe -ax

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: StubPath
    With data: C:\setup\cachemgr.exe -as


Prevention


Alert level: Severe
First detected by definition: 1.121.332.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Feb 24, 2012
This entry was first published on: Feb 24, 2012
This entry was updated on: May 13, 2013

This threat is also detected as:
  • Win32/Kryptik.AAHE (ESET)
  • Backdoor.Win32.Bifrose (Ikarus)
  • Mal/Behav-043 (Sophos)
  • Mal_OtorunN (Trend Micro)
  • TR/Strictor.500.1 (Avira)
  • Worm/Win32.AutoRun (AhnLab)