Threat behavior
Backdoor:Win32/Bifrose.AE is an 818,629-byte, win32 executable which sets itself to run on the next system boot and opens up a backdoor that allows unauthorized access and control of the affected system. The executable is known to have been distributed packed with Themida.
Installation
When executed Backdoor:Win32/Bifrose.AE injects itself in to the explorer.exe process.
It drops a copy of the backdoor to %windir%\bifrost\server.exe, and modifies the following registry entry:
Sets value: "stubpath"
With data: "%windir%\bifrost\server.exe s"
To subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
It also launches %program_files%\iexplore.exe and injects itself to its process space.
Payload
Steals sensitive information
Backdoor:Win32/Bifrose.AE attempts to read the keys and serial numbers of any of the following software should it be installed on the affected computer:
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Call of Duty
Chrome
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
F1 Challenge 99-02
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Legends of Might and Magic
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Microsoft Windows Product ID
Nascar Racing 2002
Nascar Racing 2003
NASCAR Thunder TM 2004
Need For Speed Hot Pursuit 2
Need For Speed: Underground
NHL 2002
NHL 2003
NOX
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldiers Of Anarchy
The Battle for Middle-earth
The Gladiators
The Sims
Unreal Tournament 2003
Unreal Tournament 2004
Backdoor:Win32/Bifrose.AE also logs passwords for ICQ, Messenger, POP3 mail accounts, and protected storage.
Allows backdoor access and control: Port 81
Backdoor:Win32/Bifrose.AE establishes a TCP connection to 83.198.142.171 using port 81. It then accepts commands from a remote attacker and updates using this TCP connection.
Analysis by Oleg Petrovsky
Prevention