Backdoor:Win32/Bifrose.ID is a trojan that allows unauthorized access and control of an affected computer.
Installation
When executed, Backdoor:Win32/Bifrose.ID copies itself to the following locations:
- <system folder>\syss32\wn32.exe
- c:\documents and settings\administrator\alg.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
As a part of its installation process, the malware may modify the following registry entry in order to run at system start:
Adds value: StubPath
With data: ""c:\documents and settings\administrator\alg.exe" s"
To subkey: hklm\software\microsoft\active setup\installed components\{6efc4044-77d9-47e7-197b-b6be2c7db41e}
The malware creates the following files on an affected computer:
-
c:\documents and settings\administrator\cc.exe
-
c:\documents and settings\administrator\application data\addons.dat
-
c:\documents and settings\administrator\local settings\temp\aute.tmp
-
c:\documents and settings\administrator\local settings\temp\autf.tmp
The malware utilizes code injection in order to hinder detection and removal. When Backdoor:Win32/Bifrose.ID executes, it may inject code into running processes, including the following, for example:
Payload
Allows backdoor access and control
Backdoor:Win32/Bifrose.ID allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Bifrose.ID. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 f4276161b88022fbd32f8d1fc0b09ea4dde6c021.
