ThreatExpert Report: Trojan.Gen.2, Trojan.SuspectCRC

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 September 2012, 15:19:08
Processing time: 8 min 16 sec
Submitted sample:

File MD5: 0x96B5C8E7FED385784511B3B3687CBED7
File SHA-1: 0xAE83E1D472748E41F7995E960D00AAE731F9D663
Filesize: 407,421 bytes
Alias & packer info:

Trojan.Gen.2 [Symantec]
Trojan.SuspectCRC [Ikarus]
packed with: PE_Patch [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Bifrose	Backdoor.Bifrose is a backdoor trojan that attempts to propagate by exploiting local network shares. It will also attempt to join a predefined IRC server and channel in order to participate in DDoS attacks.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\Bifrost\logg.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%System%\Bifrost\server.exe	407,421 bytes	MD5: 0x96B5C8E7FED385784511B3B3687CBED7 SHA-1: 0xAE83E1D472748E41F7995E960D00AAE731F9D663	Trojan.Gen.2 [Symantec] Trojan.SuspectCRC [Ikarus] packed with PE_Patch [Kaspersky Lab]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%System%\Bifrost

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
server.exe	%System%\Bifrost\server.exe	35,168 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	1,433,600 bytes

Attention! The following processes were intentionally hidden from the user:

Process Name	Main Module Size
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
server.exe	%System%\bifrost\server.exe	36,864 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Bifrost

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}]

stubpath = "%System%\Bifrost\server.exe s"

so that server.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]

nck = CE 11 EF 21 A0 21 A2 32 74 C3 CD 74 FA 93 5B 67

[HKEY_CURRENT_USER\Software\Bifrost]

klg = 01

Other details

To mark the presence in the system, the following Mutex object was created:

Bif1234

The following Host Names were requested from a host database:

s7ak.no-ip.biz
192.5.5.241

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
s7ak.no-ip.biz	81

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%ProgramFiles%\Internet Explorer\iexplore.exe

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 81:

00000000 | 0601 0000 994F B271 E274 8C02 5AF2 B113 | .....O.q.t..Z...
00000010 | 95FC 3C0B 6F1A A863 2237 2AA7 E2F7 332D | ..<.o..c"7*...3-
00000020 | 397A AA88 CC64 6A81 DCE4 B0AF 30ED 1FB6 | 9z...dj.....0...
00000030 | 1EB4 2BDB A525 546D C089 0D05 DF26 4B27 | ..+..%Tm.....&K'
00000040 | 1D0B 2F4A 9C9B 9AE8 0C09 4762 8C69 6EBE | ../J......Gb.in.
00000050 | F5F7 7295 1964 440C B7FF 50F2 4292 0896 | ..r..dD...P.B...
00000060 | 92AB A89F 2323 CC5E 47F3 22A7 B382 7CAA | ....##.^G."...|.
00000070 | 5E78 5A88 B9B5 8A20 7EF2 5117 F9CB 0C3D | ^xZ.... ~.Q....=
00000080 | 6CF5 11FC 27BC 6EF7 62F6 1C4A 9541 08A2 | l...'.n.b..J.A..
00000090 | 28C5 8D36 73E4 0CD6 0C74 A4D4 7DE6 BAE3 | (..6s....t..}...
000000A0 | 4975 38F9 D9BD 37F6 8E9B 708C 8B1E C4E4 | Iu8...7...p.....
000000B0 | A293 E37E F42B 9C4C 8190 37AB 3AA9 22EB | ...~.+.L..7.:.".
000000C0 | 472A D329 1461 5FD7 C8F7 60FF A5C5 A081 | G*.).a_...`.....
000000D0 | 4BA1 B7F7 040F 7CE8 F208 13B6 3C10 792F | K.....|.....<.y/
000000E0 | 5239 A055 1905 F74B A1B0 79A7 E383 86EC | R9.U...K..y.....
000000F0 | 46DE 5BB6 69E7 98FB 3F2A A33F 229F EF54 | F.[.i...?*.?"..T
00000100 | C039 4656 B728 EA33 8F01                | .9FV.(.3..

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.