Submission Summary:

• Submission details:
• Submission received: 23 August 2011, 13:48:33
• Processing time: 7 min 31 sec
• Submitted sample:
• File MD5: 0xF1461C0895C874EEC3AF3B4E26E74E67
• File SHA-1: 0xF365AF578D25E65F2E8D19F32A9FBC429B2186A3
• Filesize: 51,760 bytes
• Alias:
• Trojan-PSW.Generic [PCTools]
• Backdoor.Win32.Bifrose.fny [Kaspersky Lab]
• BackDoor-CEP.svr [McAfee]
• Mal/Bifrose-R, Mal/Bifrose-R [Sophos]
• Backdoor:Win32/Bifrose.ACI [Microsoft]
• Backdoor.Bifrost [Ikarus]
• Dropper/Agent.29565 [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Backdoor.Bifrose	Backdoor.Bifrose is a backdoor trojan that attempts to propagate by exploiting local network shares. It will also attempt to join a predefined IRC server and channel in order to participate in DDoS attacks.
Backdoor.Optix	Backdoor.Optix is a backdoor Trojan program which opens ports on the infected computer and allows the attackers to gain unauthorized access to the system.

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\addon.dat	22,040 bytes	MD5: 0x94078BDFBA9F9662E266B496C85B0452 SHA-1: 0xBB4210AE3CFF5A0FE2D1286AC3D3026D28CA3C03	(not available)
2	%System%\Bifrost\klog.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
3	%System%\Bifrost\LooooooL.exe [file and pathname of the sample #1]	51,760 bytes	MD5: 0xF1461C0895C874EEC3AF3B4E26E74E67 SHA-1: 0xF365AF578D25E65F2E8D19F32A9FBC429B2186A3	Trojan-PSW.Generic [PCTools] Backdoor.Win32.Bifrose.fny [Kaspersky Lab] BackDoor-CEP.svr [McAfee] Mal/Bifrose-R, Mal/Bifrose-R [Sophos] Backdoor:Win32/Bifrose.ACI [Microsoft] Backdoor.Bifrost [Ikarus] Dropper/Agent.29565 [AhnLab]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directory was created:
• %System%\Bifrost

Memory Modifications

• Attention! The following process was intentionally hidden from the user:

Process Name	Main Module Size
IEXPLORE.EXE	102,400 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A5395C12-C8A0-CAEB-E8A6-F5F317368EBB}
• HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
• HKEY_CURRENT_USER\Software\Bifrost

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A5395C12-C8A0-CAEB-E8A6-F5F317368EBB}]
• stubpath = "%System%\Bifrost\LooooooL.exe s"

so that LooooooL.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]
• nck = 4A A5 5D A7 CC 44 A2 32 74 C3 CD 74 FA 93 5B 67
• [HKEY_CURRENT_USER\Software\Bifrost]
• klg = 01
• plg1 = EA 44 DC 02 A3 27 D7 5F 11 AD B9 07 DA F2 35 03 2A 35 8E 58 1B 0E 11 94 D4 F9 28 1F 11 4D 98 BC D2 64 44 8E CD F9 B9 BA 23 BD 45 ED 15 A6 77 AF B8 7C 04 4D 90 91 58 5F 81 3C 53 77 15 3A C2 06 E0 AB E6 8B 78 27 03 56 BC 15 2D 84 BD A7 8C 8A FA 1C B0 1

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Sweden