Follow:

 

Backdoor:Win32/Bifrose.AE


Backdoor:Win32/Bifrose.AE is an 818,629-byte, win32 executable which sets itself to run on the next system boot and opens up a backdoor that allows unauthorized access and control of the affected system.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/Bifrose.AE is an 818,629-byte, win32 executable which sets itself to run on the next system boot and opens up a backdoor that allows unauthorized access and control of the affected system. The executable is known to have been distributed packed with Themida.
Installation
When executed Backdoor:Win32/Bifrose.AE injects itself in to the explorer.exe process.
 
It drops a copy of the backdoor to %windir%\bifrost\server.exe, and modifies the following registry entry:
Sets value: "stubpath" 
With data: "%windir%\bifrost\server.exe s" 
To subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
 
It also launches %program_files%\iexplore.exe and injects itself to its process space.
Payload
Steals sensitive information
Backdoor:Win32/Bifrose.AE attempts to read the keys and serial numbers of any of the following software should it be installed on the affected computer:
 
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Call of Duty
Chrome
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
F1 Challenge 99-02
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Legends of Might and Magic
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Microsoft Windows Product ID
Nascar Racing 2002
Nascar Racing 2003
NASCAR Thunder TM 2004
Need For Speed Hot Pursuit 2
Need For Speed: Underground
NHL 2002
NHL 2003
NOX
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldiers Of Anarchy
The Battle for Middle-earth
The Gladiators
The Sims
Unreal Tournament 2003
Unreal Tournament 2004
 
Backdoor:Win32/Bifrose.AE also logs passwords for ICQ, Messenger, POP3 mail accounts, and protected storage.
 
Allows backdoor access and control: Port 81
Backdoor:Win32/Bifrose.AE establishes a TCP connection to 83.198.142.171 using port 81. It then accepts commands from a remote attacker and updates using this TCP connection.
 
Analysis by Oleg Petrovsky

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
    %windir%\bifrost\server.exe
  • The presence of the following registry modifications:
    Sets value: "stubpath" 
    With data: "%windir%\bifrost\server.exe s" 
    To subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.179.1844.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jul 20, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Backdoor.Bifrose.ZXE (BitDefender)
  • W32/Bifrose.ASWB (Norman)