ThreatExpert Report: Trojan.Midgare.hhn, Backdoor.Bifrose, BKDR

Submission Summary:

Submission details:

Submission received: 9 February 2010, 21:06:48
Processing time: 12 min 1 sec
Submitted sample:

File MD5: 0x17A5391BCD17AAF21A6AFB5D52EE299D
File SHA-1: 0xF49D8C0A64FDA9BFA68605420CA398EC2A7C6E0F
Filesize: 166,270 bytes

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Bifrose	Backdoor.Bifrose is a backdoor trojan that attempts to propagate by exploiting local network shares. It will also attempt to join a predefined IRC server and channel in order to participate in DDoS attacks.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Bifrost\logg.dat %System%\Bifrost\logg.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%AppData%\Bifrost\server.exe %ProgramFiles%\server_crypt.exe %System%\Bifrost\server.exe	30,589 bytes	MD5: 0xE8D3C7ABA1FC53AA52A12AAE054866A3 SHA-1: 0x90FD6753F05559CD97CD6B35E0B47385DC321642	Trojan.Midgare.hhn [PCTools] Backdoor.Bifrose [Symantec] BKDR_AHZE.SMM [Trend Micro] Backdoor:Win32/Bifrose.HM [Microsoft]
3	%ProgramFiles%\gamazer.3.exe	57,344 bytes	MD5: 0x94FDBE08885E98AB92FD8A3F110F6C72 SHA-1: 0x09B315E939CF89FDC29BD85A2F33406B79703A96	Malware.Virut [PCTools] W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BM [Microsoft] Win32/Virut.F [AhnLab]
4	[file and pathname of the sample #1]	166,270 bytes	MD5: 0x17A5391BCD17AAF21A6AFB5D52EE299D SHA-1: 0xF49D8C0A64FDA9BFA68605420CA398EC2A7C6E0F	(not available)

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%AppData%\Bifrost
%System%\Bifrost

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
gamazer.3.exe	%ProgramFiles%\gamazer.3.exe	57,344 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	135,168 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\@ctive Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\@ctive Setup\Installed Components
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\@ctive Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersiontInternet Settings
HKEY_CURRENT_USER\Software\Bifrost
HKEY_CURRENT_USER\Software\WinRAR SFX

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\@ctive Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}]

stubpath = "%System%\Bifrost\server.exe s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]

nckTWexplorer.exe = 6E 9F 54 9A 10 95 82 F5 95 20 13 99 26 4F B8 67

[HKEY_CURRENT_USER\Software\Bifrost]

klg = 01

[HKEY_CURRENT_USER\Software\WinRAR SFX]

C%%Program Files = "C:\Program Files"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex objects were created:

Bif1234
likl

The following Host Name was requested from a host database:

gnooon.no-ip.biz

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
gnooon.no-ip.biz	3460

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%ProgramFiles%\Internet Explorer\iexplore.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 3460:

00000000 | 0B01 0000 994F B271 E274 8C02 5AF2 B1B3 | .....O.q.t..Z...
00000010 | 1B47 87BB DB46 2CCD 8CB9 922F 7B46 012F | .G...F,..../{F./
00000020 | 3B72 8688 EB44 4A81 FCC4 90AF 15AF 54F6 | ;r...DJ.......T.
00000030 | 34A9 3A8E A578 543F C391 404C DF6E 1A27 | 4.:..xT?..@L.n.'
00000040 | 1D0B 2F4B D893 9ABA 1409 5A66 C025 51E7 | ../K......Zf.%Q.
00000050 | CD82 7CC2 5C75 6258 9FC8 1FF0 599B 4DAB | ..|.\ubX....Y.M.
00000060 | 83AC FC97 2320 9F51 77F4 33BC 9384 6293 | ....# .Qw.3...b.
00000070 | 5759 5A99 92BA 9339 619A 6830 F3C6 0D2C | WYZ....9a.h0...,
00000080 | 4AA1 39CB 68BE 75FE 27CB 0D4D C149 08A1 | J.9.h.u.'..M.I..
00000090 | 7BCA BD31 62FF 2CD0 124D ADE3 7DE7 9FF6 | {..1b.,..M..}...
000000A0 | 4B60 18FE 8692 18ED 829E 61AA DF36 F3AB | K`........a..6..
000000B0 | A088 EA3B C93A 9B18 8990 34F8 3599 25FA | ...;.:....4.5.%.
000000C0 | 5C0A D537 2D68 61CB 9AFD 6EF1 B5F4 8896 | \..7-ha...n.....
000000D0 | 1F96 A4C1 221E 29B6 B64B 5FD7 5F55 357E | ....".)..K_._U5~
000000E0 | 0066 E515 135E E7E2 1E3F 9E69 0FEE 3D62 | .f...^...?.i..=b
000000F0 | F37E E1F9 EB4D 7F6A 7180 2BAE 9E2B BBB3 | .~...M.jq.+..+..
00000100 | 6486 E3F5 1F8B AF86 12CA 7887 9273 EB   | d.........x..s.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.