1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Jabeefit Activity

System Infected: Backdoor.Jabeefit Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects Backdoor.Jabeefit activity on infected machine.

Additional Information

When the Trojan is executed, it copies itself to the following locations:
%UserProfile%\Application Data\BIFIT_A\agent.exe

The Trojan then drops the following files:

%UserProfile%\Application Data\BIFIT_A\bifit_a.cfg
%UserProfile%\Application Data\BIFIT_A\bifit_agent.jar
%UserProfile%\Application Data\BIFIT_A\javassist.jar

Next, the Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"bifit_agent" = "%UserProfile%\Application Data\BIFIT_A\agent.exe"

The Trojan then opens a back door on the compromised computer, and connects to the following domain:
http ://


  • All windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube