ThreatExpert Report: Win-Trojan/Spybot.162358

Submission Summary:

Submission details:

Submission received: 2 June 2010, 22:16:56
Processing time: 9 min 31 sec
Submitted sample:

File MD5: 0x24EB9E7F6E5A6DEDBC32B66B0B645874
File SHA-1: 0x7E1C2620AA413B23202C2AAD4D60B008E6B45E39
Filesize: 162,326 bytes
Alias: Win-Trojan/Spybot.162358 [AhnLab]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Bifrose	Backdoor.Bifrose is a backdoor trojan that attempts to propagate by exploiting local network shares. It will also attempt to join a predefined IRC server and channel in order to participate in DDoS attacks.

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\Bifrost\server.exe [file and pathname of the sample #1]	162,326 bytes	MD5: 0x24EB9E7F6E5A6DEDBC32B66B0B645874 SHA-1: 0x7E1C2620AA413B23202C2AAD4D60B008E6B45E39	Win-Trojan/Spybot.162358 [AhnLab]

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\Bifrost

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	49,152 bytes
server.exe	%ProgramFiles%\bifrost\server.exe	49,152 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Bifrost

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}]

stubpath = "%ProgramFiles%\Bifrost\server.exe s"

so that server.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]

nck = ED 1B E6 27 B9 28 D6 32 74 C3 CD 74 FA 93 5B 67

[HKEY_CURRENT_USER\Software\Bifrost]

klg = 00

Other details

To mark the presence in the system, the following Mutex object was created:

Bif1234

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 81:

00000000 | 0D01 0000 994F B271 E274 8C02 5AF2 B130 | .....O.q.t..Z..0
00000010 | 9FF5 3A12 6612 976F 202A 2FA6 F3E0 2F22 | ..:.f..o */.../"
00000020 | 3572 93A1 EA72 7DBD F3E8 B8B6 3CAC 00AA | 5r...r}.....<...
00000030 | 48AC 2BD9 EF3D 5129 C089 0C4C C223 4B26 | H.+..=Q)...L.#K&
00000040 | 1D0B 6A4B D2D7 D6F7 5944 162A 8C69 4EE0 | ..jK....YD.*.iN.
00000050 | 98D2 29C6 104A 1B3E 87E3 13E6 4193 46B1 | ..)..J.>....A.F.
00000060 | 84FF BD98 2964 EC67 66F4 2EBB 9A90 4D9A | ....)d.gf.....M.
00000070 | 714F 4DA5 BDB6 9B00 6FAD 6E36 F8DC 0513 | qOM.....o.n6....
00000080 | 33C7 21E0 64A8 6DF6 2CD1 0A1E 8046 02E5 | 3.!.d.m.,....F..
00000090 | 08FC AC31 7FF8 25C4 3D44 8BF5 6ADB B0FA | ...1..%.=D..j...
000000A0 | 4359 00DF 908A 07F6 9D92 5ED3 B92E D8A7 | CY........^.....
000000B0 | B690 E230 D33D C859 869A 708B 0388 25E7 | ...0.=.Y..p...%.
000000C0 | 5B03 C118 244E 77DC A6D2 62F9 8CE5 BCCF | [...$Nw...b.....
000000D0 | 7BBD A8D7 3A16 22AC B144 76D1 7019 357E | {...:."..Dv.p.5~
000000E0 | 0066 E111 1A1B FA48 A0AE 2DB0 A1A2 8EE1 | .f.....H..-.....
000000F0 | 5F91 05F9 42FA DBC0 3E2D A92B 38DA D21A | _...B...>-.+8...
00000100 | F124 4454 BD2E AF04 8B71 D309 2B6A 99E6 | .$DT.....q..+j..
00000110 | D5                                      | .

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.