Backdoor:Win32/Bifrose.ACI is a backdoor Trojan that allows a remote attacker to access to the compromised computer, and injects its processes into the Windows shell and Internet Explorer.
When executed Win32/Bifrose.ACI writes a copy of itself to the local computer. The file name and path of this copy may vary according to minor variant. See below for examples of file names and paths used by samples submitted to Microsoft from the wild:
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The Trojan adds a registry entry to load the written copy at each Windows start. The entry corresponds to the file written, as in the following examples:
stubpath = "<system folder>\bitfrost\server.exe s"
stubpath = "<system folder>\drivers\ctfm0n.exe s"
stubpath = "<system folder>\services\service.exe s"
stubpath = "%ProgramFiles%\bifrost\svchost.exe s"
Win32/Bifrose.ACI injects code into the Windows shell application Explorer.exe, and initiates a hidden instance of Internet Explorer (Iexplore.exe), also injecting its code into this process.
Win32/Bifrose.ACI connects to a remote IP address using either TCP port 81, or a random port allowing an attacker access to the computer.
The Bifrose Trojan family is highly configurable. Thus, the locations of its installed files on an infected computer and TCP connection ports will vary. Commands can be sent to the installed Trojan that allow an attacker to perform any of the following actions on the affected machine:
Manage running processes
Manipulate files or registry data
Obtain installed program details
System shutdown or reboot