Discovered: October 12, 2004
Updated: October 12, 2004 1:44:30 PM
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Backdoor.Bifrose is a back door that sends information to a remote server.
When the back door is executed, it copies itself as system.exe to the %Windir% or %System% directory.
Next, the back door generates an encrypted file named "plugin1.dat" in the %System% directory.
It then creates some of the following registry entries, which start the back door when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"system" = "%System%\system.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"system" = "%System%\system.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"system" = "%Windir%\system.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"system" = "%Windir%\system.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\"stubpath" = "%System%\system.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\"stubpath" = "%Windir%\system.exe s"
Next, it creates the following registry entries, to store status information:
HKEY_CURRENT_USER\Software\Wget
HKEY_LOCAL_MACHINE\SOFTWARE\Wget
Next, the back door will use Microsoft Internet Explorer and attempt to connect to one of the following domains on TCP port 1971 sending out system information:
firedragon.no-ip.com
killvirus2002.serveftp.org
222.65.219.234
The attacker may send and execute shell commands.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine