BKDR_BIFROSE.SMC

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following file(s)/component(s):

• %System%\Bifrost\logg.dat
• %User Profile%\Application Data\addons.dat

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %System%\Bifrost\Server.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It creates the following folders:

• %System%\Bifrost

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath = "%System%\Bifrost\Server.exe s"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Bifrost

HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Bifrost
klg = "{random hex values}"

HKEY_CURRENT_USER\Software\Bifrost
plg1 = "{random hex values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
nck = "{random hex values}"