BKDR_BIFROSE.WINN
Backdoor.Win32.Bifrose.fpi (Kaspersky), Backdoor:Win32/Bifrose.gen!E (Microsoft)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
40,191 bytes
EXE
05 Aug 2016
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops a copy of itself in the following folders using different file names:
- %User Profile%\Local Settings\wminsts.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It adds the following processes:
- iexplorer.exe
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{UID}
HKEY_LOCAL_MACHINE\SOFTWARE\SKav
HKEY_CURRENT_USER\Software\SKav
It adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{UID}
stubpath = "%User Profile%\Local Settings\wminsts.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\SKav
nck = "{hex values}"
HKEY_CURRENT_USER\Software\SKav
klg = "00"
Other Details
This backdoor connects to the following possibly malicious URL:
- securitybbs.{BLOCKED}s.info
- release2002.{BLOCKED}ame.org
It deletes the initially executed copy of itself