ThreatExpert Report: Backdoor.Win32.Bifrose.afgu, Constructor.Win32.Bifrose, Backdoor.Bifrose..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 30 December 2008, 10:09:24
Processing time: 6 min 38 sec
Submitted sample:

File MD5: 0xCD192EFEBDEEB1DC40656AFAFEF554F7
File SHA-1: 0x0BBECAB9EB91630082BD187AF588E54762269FD9
Filesize: 2,028,610 bytes
Alias:

Backdoor.Win32.Bifrose.afgu [Kaspersky Lab]
Constructor.Win32.Bifrose [Ikarus]

Summary of the findings:

What's been found	Severity Level
Capability to terminate Antivirus, Firewall and other security related processes.
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A hacktool that could be used by attackers to break into a system
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\bifrost saudi hack v0.2.exe	1,915,381 bytes	MD5: 0x56DA7AB39B9CACA88AE328D6E75A96C8 SHA-1: 0x4E459B8D01EF2C7842ED18B294A318E691105232	Backdoor.Bifrose [Symantec] Constructor.Win32.Bifrose.bn [Kaspersky Lab] New Malware.eh [McAfee] Backdoor:Win32/Bifrose.gen!B [Microsoft] Constructor.Win32.Bifrose [Ikarus]
2	%Temp%\lssas	148 bytes	MD5: 0x74C8A3E448FA87D42F694AEBA4E41ACE SHA-1: 0x5042BCC02CEC3326EF87B7749AFB06AC3C90C6F9	(not available)
3	%Temp%\lssas.exe	47,651 bytes	MD5: 0xAFB630143FD68CB987873ECAE3D0A8C1 SHA-1: 0x4CE43DC57F3DE719082AA2B3BF17C6AA0A82B454	Trojan-Downloader.VB [Ikarus]
4	[file and pathname of the sample #1]	2,028,610 bytes	MD5: 0xCD192EFEBDEEB1DC40656AFAFEF554F7 SHA-1: 0x0BBECAB9EB91630082BD187AF588E54762269FD9	Backdoor.Win32.Bifrose.afgu [Kaspersky Lab] Constructor.Win32.Bifrose [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directory was created:

%Temp%\Computers

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
bifrost saudi hack v0.2.exe	%Temp%\bifrost saudi hack v0.2.exe	1,941,504 bytes
lssas.exe	%Temp%\lssas.exe	9,216 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	69,632 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2553A222-0354-B257-D660-57B9B1202DDB}
HKEY_CURRENT_USER\Software\BIFROST1.2

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2553A222-0354-B257-D660-57B9B1202DDB}]

StubPath = "%Temp%\lssas.exe"

so that lssas runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

save = "%Temp%\lssas.exe"

so that lssas runs every time Windows starts

[HKEY_CURRENT_USER\Software\BIFROST1.2]

settings = 51 00 00 00 00 00 00 00 00 00 00 00 6D 79 70 61 73 73 00 00 00 00 00 00 00 00 00 00 61 64 64 6F 6E 2E 64 61 74 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Sweden
	Germany

To mark the presence in the system, the following Mutex objects were created:

)!VoqA.I4
BIFROST1.2

The following Host Name was requested from a host database:

hamo0odi.no-ip.biz

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
hamo0odi.no-ip.biz	14079

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%Temp%\lssas.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 14079:

00000000 | 81CD 6B28 28AD 8729 D5CA E12D 368A 8C47 | ..k((..)...-6..G
00000010 | 5AC3 E359 EDC2 663D 5C35 4325 82A5 50A8 | Z..Y..f=\5C%..P.
00000020 | 37DA EFE7 99CC A235 3664 CE91 92A9 0018 | 7......56d......
00000030 | 29BA 0625 2EF9 F6F9 3161 B057 349D F959 | )..%....1a.W4..Y
00000040 | 4CCB B97F 28FA 43AF 6154 ED1A 0A45 7034 | L...(.C.aT...Ep4
00000050 | 9495 A4F7 8EEF A082 DB13 E0A2 84EF 5F8D | .............._.
00000060 | E277 C6E5 47AA A6F3 7C71 9698 6BFB 71E3 | .w..G...|q..k.q.
00000070 | 13A6 4DEE 72F5 8A02 0F83 D787 6E9D 9897 | ..M.r.......n...
00000080 | D347 4265 CCBC E39E 9DDA 459B 8FA4 B9C3 | .GBe......E.....
00000090 | 795E 8061 5A3A 63D6 217B 5B9E 7F23 C035 | y^.aZ:c.!{[..#.5
000000A0 | BA74 E397 ADBF 85A2 E805 0D57 5953 9F74 | .t.........WYS.t
000000B0 | 93AF 6684 5506 7B07 34B3 415B B199 DF69 | ..f.U.{.4.A[...i
000000C0 | 5BC2 5AA5 9663 D8F7 3FBD 12DD DD80 3BE2 | [.Z..c..?.....;.
000000D0 | F43E 87F0 3D1F 4B08 0BAC CE37 C197 ED47 | .>..=.K....7...G
000000E0 | D639 CEFA 7975 5D00 D158 5D75 54A9 725D | .9..yu]..X]uT.r]
000000F0 | 884F A101 6D39 C823 04AB B304 5578 AC87 | .O..m9.#....Ux..
00000000 | 7159 DB8E A891 7F9A 8FCC 438D 3D49 C5F6 | qY........C.=I..
00000010 | 9D2A C228 04A0 E6A4 629F 5329 DC43 F173 | .*.(....b.S).C.s
00000020 | 9625 6B8C 46D2 822D 36AA 5F7E 39FE 3AF1 | .%k.F..-6._~9.:.
00000030 | E595 9F38 E7BF D047 8B5B 567C 34CE 0C83 | ...8...G.[V|4...
00000040 | 71A7 B114 9639 8965 1210 2C83 8FF3 EDED | q....9.e..,.....
00000050 | 80B3 598F 6332 1F75 D7BF 3548 A442 E951 | ..Y.c2.u..5H.B.Q
00000060 | 6B23 5598 9A13 88C9 93B0 4C24 7548 C0F2 | k#U.......L$uH..
00000070 | 19E8 70EC 4ABA DFB5 9F28 E119 E5A0 61A3 | ..p.J....(....a.
00000080 | B7D0 CB86 FFB5 1918 C1CA E0C7 65D2 E247 | ............e..G
00000090 | DF63 3F55 8F11 2E79 8F28 1513 2356 15D8 | .c?U...y.(..#V..
000000A0 | 81BC BE58 1CFE 6A8A 3659 5583 3023 EA74 | ...X..j.6YU.0#.t
000000B0 | 8BEB 1199 6816 09EA 74CE FE2C 8F75 76D3 | ....h...t..,.uv.
000000C0 | BB20 F859 CBCA CCC8 B1EA 8D56 2CCE 6955 | . .Y.......V,.iU
000000D0 | 9B25 8997 17EA 5F07 F8CB 8B63 8E45 E563 | .%...._....c.E.c
000000E0 | A45B BD9B 8CA5 F953 BF96 61AE 38EB 712E | .[.....S..a.8.q.
000000F0 | 5F00 013A E6DE 57DD 0221 99CA BDBC 24C4 | _..:..W..!....$.

Heuristics Analysis

Heuristically identified capability to terminate the following security related processes:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.