BKDR_BIFROSE.SMC

 Modified by: Nikko Tamana

 ALIASES:

TrojanDownloader:Win32/Buzus.F (Microsoft), Trojan-Downloader.Win32.Buzus (Ikarus), Win32/Bifrose.NDU trojan (NOD32)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

115,162 bytes

File Type:

EXE

Initial Samples Received Date:

18 May 2010

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following file(s)/component(s):

  • %System%\Bifrost\logg.dat
  • %User Profile%\Application Data\addons.dat

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %System%\Bifrost\Server.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It creates the following folders:

  • %System%\Bifrost

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath = "%System%\Bifrost\Server.exe s"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Bifrost

HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Bifrost
klg = "{random hex values}"

HKEY_CURRENT_USER\Software\Bifrost
plg1 = "{random hex values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
nck = "{random hex values}"