Submission Summary:

• Submission details:
• Submission received: 3 December 2007, 10:14:21
• Processing time: 3 min 7 sec
• Submitted sample:
• File MD5: 0x32CA48D6496CD7AFDABEED891AC08EEF
• Filesize: 1,199,915 bytes
• Alias: Backdoor.Win32.Ciadoor.gn [Kaspersky Lab]

• Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Bifrose	Backdoor.Bifrose is a backdoor trojan that attempts to propagate by exploiting local network shares. It will also attempt to join a predefined IRC server and channel in order to participate in DDoS attacks.

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\Cadeau.exe %System%\cam\photo.exe	1,232,253 bytes	MD5: 0x6537E9DBF3E5D3216255BF0DD07DF6BE	Infostealer [Symantec] Backdoor.Win32.Ciadoor.gn [Kaspersky Lab] BackDoor-CEP.svr [McAfee]
2	%System%\cam\klog.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E	(not available)
3	[file and pathname of the sample #1]	1,199,915 bytes	MD5: 0x32CA48D6496CD7AFDABEED891AC08EEF	Backdoor.Win32.Ciadoor.gn [Kaspersky Lab]

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directory was created:
• %System%\cam

Memory Modifications

• There was a new process created in the system:

Process Name	Process Filename	Main Module Size
Cadeau.exe	%Temp%\Cadeau.exe	2,523,136 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
• HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
• HKEY_CURRENT_USER\Software\Bifrost

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}]
• stubpath = "%System%\cam\photo.exe s"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]
• nck = ED 1B E6 27 B9 28 D6 32 74 C3 CD 74 FA 93 5B 67
• [HKEY_CURRENT_USER\Software\Bifrost]
• klg = 01

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Sweden

• The following Host Name was requested from a host database:
• bikbik.no-ip.biz

• There was registered attempt to establish connection with the remote host. The connection details are: