ThreatExpert Report: Backdoor.Trojan, Backdoor.Win32.Bifrose.fxv, Generic BackDoor.aab..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 19 October 2012, 05:18:14
Processing time: 8 min 24 sec
Submitted sample:

File MD5: 0xDA82B9F703448AB4840E37F6089D6D5A
File SHA-1: 0x109594EF771B462487105EF45A539970EBF2BD28
Filesize: 32,669 bytes
Alias:

Backdoor.Trojan [Symantec]
Backdoor.Win32.Bifrose.fxv [Kaspersky Lab]
Generic BackDoor.aab [McAfee]
BKDR_BIFROSE.SMA [Trend Micro]
Mal/Bifrose-X [Sophos]
Backdoor:Win32/Bifrose.AE [Microsoft]
Trojan.Win32.Midgare [Ikarus]
Win-Trojan/Midgare.30208 [AhnLab]

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\spool\spool.exe [file and pathname of the sample #1]	32,669 bytes	MD5: 0xDA82B9F703448AB4840E37F6089D6D5A SHA-1: 0x109594EF771B462487105EF45A539970EBF2BD28	Backdoor.Trojan [Symantec] Backdoor.Win32.Bifrose.fxv [Kaspersky Lab] Generic BackDoor.aab [McAfee] BKDR_BIFROSE.SMA [Trend Micro] Mal/Bifrose-X [Sophos] Backdoor:Win32/Bifrose.AE [Microsoft] Trojan.Win32.Midgare [Ikarus] Win-Trojan/Midgare.30208 [AhnLab]

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\spool

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
spool.exe	%ProgramFiles%\spool\spool.exe	36,864 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	36,864 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_LOCAL_MACHINE\SOFTWARE\spool
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\spool

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}]

stubpath = "%ProgramFiles%\spool\spool.exe s"

so that spool.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\spool]

nck = DA 0E EF 29 A0 44 A2 32 74 C3 CD 74 FA 93 5B 67

[HKEY_CURRENT_USER\Software\spool]

klg = 00

Other details

To mark the presence in the system, the following Mutex object was created:

spool

The following Host Name was requested from a host database:

midoahmed.zapto.org

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
midoahmed.zapto.org	81

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 81:

00000000 | 0B01 0000 994F B271 E274 8C02 5AF2 B107 | .....O.q.t..Z...
00000010 | 8AFC 340B 7625 A461 3F32 2BB6 F5EB 3C21 | ..4.v%.a?2+...<!
00000020 | 3143 83AE DA73 56AE D0EC A9A3 71F2 03E0 | 1C...sV.....q...
00000030 | 06A5 3989 B466 076D C189 1101 9322 4B27 | ..9..f.m....."K'
00000040 | 540B 6106 D0D7 D7F7 5844 162A DF71 1CE5 | T.a.....XD.*.q..
00000050 | 9D83 61B5 5655 650D A0F9 1DF6 4282 5BE5 | ..a.VUe.....B.[.
00000060 | 96B1 B8D6 1E21 CB76 7BEE 20A6 A1B6 62AA | .....!.v{. ...b.
00000070 | 7064 5E86 B987 AC39 5EAD 6327 EAEB 430C | pd^....9^.c'..C.
00000080 | 4DF4 06FA 6AB8 6EE7 3185 1850 8508 35A0 | M...j.n.1..P..5.
00000090 | 2FED B12B 71E5 1EE2 1274 8ADE 79F8 B4CB | /..+q....t..y...
000000A0 | 6260 37D1 978E 03E5 AED4 41AD 8A09 C2A9 | b`7.......A.....
000000B0 | A693 F32D 872F 865C C8AD 35AC 1295 3FE9 | ...-./.\..5...?.
000000C0 | 4638 E737 144F 5CCF 85D6 53D1 A988 8180 | F8.7.O\...S.....
000000D0 | 5CA7 A6C7 3907 3FA4 976B 5FB2 3C19 357E | \...9.?..k_.<.5~
000000E0 | 0466 EC5D 4205 F45F BBE1 3BE6 A2A0 84AF | .f.]B.._..;.....
000000F0 | 1991 65B0 6CE1 D7C1 3E38 B26D 0594 EF11 | ..e.l...>8.m....
00000100 | F72F 534E F81F F731 9F6E CD03 2B73 EB   | ./SN...1.n..+s.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.