Backdoor.Bifrose

Bookmark and Share

1. What is the Backdoor.Bifrose

Bifrose is a backdoor Trojan that provides an unauthorized user with some remote control over your system, making it possible to capture your personal information through accessing your files. Through Bifrose, this anonymous user may upload, download, and delete files stored on your hard drive. Your computer's security and stability may be further decreased as Bifrose may download other applications. Bifrose is a serious threat to the security of your personal and financial data and it is recommended to get rid of it immediately. 

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %ProgramFiles%\LightC\LightC.exe
[file and pathname of the sample #1] 		218,426 bytes
2 %ProgramFiles%\LightC\logg.dat  

Notes:

    • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

b. The following directory was created:

  • %ProgramFiles%\LightC

c. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1 98,304 bytes
lightc.exe %ProgramFiles%\lightc\lightc.exe 98,304 bytes

d. Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
      • HKEY_LOCAL_MACHINE\SOFTWARE\LightC
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
      • HKEY_CURRENT_USER\Software\LightC
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}]
        • stubpath = "%ProgramFiles%\LightC\LightC.exe s"

        so that LightC.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\LightC]
        • nck = 7F B3 6D A3 EC 88 6D DF BB 26 CD 74 FA 93 5B 67
      • [HKEY_CURRENT_USER\Software\LightC]
        • klg = 01

    e. Other details

    • To mark the presence in the system, the following Mutex object was created:
      • LightC1
    • The following Host Name was requested from a host database:
      • katkot.no-ip.org

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    katkot.no-ip.org 82

    • There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

      • %ProgramFiles%\Internet Explorer\iexplore.exe

     

    3. How-to's

    a. How to prevent the  Backdoor.Bifrose?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Backdoor.Bifrose  Manually?

    Step 1 : The associated files of  Backdoor:Win32/Bifrose.AE to be deleted are listed below:   

    %System%\system32\server.exe

    Step 2 : Delete Files

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9FB044CA-AC5C-DA5D-   A8F9-B2564CDB3683}
      HKEY_LOCAL_MACHINE\SOFTWARE\max
      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
      HKEY_CURRENT_USER\Software\max

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•