How to Prevent and Remove the Constructor.Win32.Bifrose
 

Bookmark and Share

 

1. What is the Constructor.Win32.Bifrose
 

Constructor.Win32.Bifrose  is a virus or trojan creation toolkit. A Constructor.Win32.Bifrose  is an extremely easy- to-use process that allows user to create a malware by only choosing its functions. It's important to note that the Constructor.Win32.Bifrose  file is a dangerous program that can pretend to be a security solution. Construction program will run in the background and provide remote attackers with access to the infected PC. Or probably more, Construction may also bring additional parasites, leading the infected PC at greater risk.

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 %Temp%\26c4qxxw.tmp 0 bytes
2 %Temp%\a2g93dk8.bat 102 bytes
3 %Temp%\k1l6vskz.exe 269,824 bytes
4 %Temp%\n8jgk2.exe
%Windir%\Temp\n8jgk2.exe 		65,536 bytes
5 %UserProfile%\wuaucldt.exe 59,904 bytes
6 %Windir%\svc2.exe 0 bytes
7 [file and pathname of the sample #1] 630,784 bytes
8 %System%\uroh8dy.log 3,998 bytes
9 %System%\wuaucldt.exe 59,904 bytes
10 %Windir%\Temp\BN5.tmp 0 bytes
11 %Windir%\Temp\BN8.tmp 0 bytes
12 %Windir%\Temp\VRT2.tmp 32,512 bytes
13 %Windir%\Temp\VRT4.tmp 0 bytes
  • Notes:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • The following files were modified:
    • [pathname with a string SHARE]\msinfo32.exe
    • [pathname with a string SHARE]\sapisvr.exe
    • %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
    • %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
    • %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
    • %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
    • %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
    • %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
    • %ProgramFiles%\Internet Explorer\iedw.exe
    • %ProgramFiles%\Internet Explorer\IEXPLORE.EXE
    • %ProgramFiles%\MSN\MSNIA\msniasvc.exe
    • %ProgramFiles%\MSN\MSNIA\prestp.exe
    • %ProgramFiles%\MSN\MsnInstaller\msninst.exe
    • %ProgramFiles%\NetMeeting\wb32.exe
    • %ProgramFiles%\Outlook Express\msimn.exe
    • %ProgramFiles%\Outlook Express\oemig50.exe
    • %ProgramFiles%\Outlook Express\setup50.exe
    • %ProgramFiles%\Outlook Express\wab.exe
    • %ProgramFiles%\Outlook Express\wabmig.exe
    • %ProgramFiles%\Web Publish\WPWIZ.EXE
    • %ProgramFiles%\Windows Media Player\migrate.exe
    • %ProgramFiles%\Windows Media Player\mplayer2.exe
    • %ProgramFiles%\Windows Media Player\setup_wm.exe
    • %ProgramFiles%\Windows Media Player\wmplayer.exe
    • %ProgramFiles%\Windows NT\Accessories\wordpad.exe
    • %ProgramFiles%\Windows NT\dialer.exe
    • %ProgramFiles%\Windows NT\hypertrm.exe
    • %ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
    • %Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\setup.exe
    • %Windir%\hh.exe
    • %Windir%\inf\unregmp2.exe
    • %Windir%\Microsoft.NET\Framework\NETFXSBS10.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\jsc.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    • %Windir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    • %Windir%\msagent\agentsvr.exe
    • %Windir%\mui\muisetup.exe
    • %Windir%\NOTEPAD.EXE
    • %Windir%\pchealth\helpctr\binaries\HelpCtr.exe
    • %Windir%\pchealth\helpctr\binaries\HelpHost.exe
    • %Windir%\pchealth\helpctr\binaries\HelpSvc.exe
    • %Windir%\pchealth\helpctr\binaries\HscUpd.exe
    • %Windir%\pchealth\helpctr\binaries\msconfig.exe
    • %Windir%\pchealth\helpctr\binaries\notiflag.exe
    • %Windir%\pchealth\UploadLB\Binaries\UploadM.exe
    • %Windir%\regedit.exe
    • %System%\accwiz.exe
    • %System%\actmovie.exe
    • %System%\ahui.exe
    • %System%\alg.exe
    • %System%\arp.exe
    • %System%\asr_fmt.exe
    • %System%\asr_ldm.exe
    • %System%\asr_pfu.exe
    • %System%\at.exe
    • %System%\atmadm.exe
    • %System%\attrib.exe
    • %System%\auditusr.exe
    • %System%\blastcln.exe
    • %System%\bootcfg.exe
    • %System%\bootok.exe
    • %System%\bootvrfy.exe
    • %System%\cacls.exe
    • %System%\calc.exe
    • %System%\charmap.exe
    • %System%\chkdsk.exe
    • %System%\chkntfs.exe
    • %System%\cidaemon.exe
    • %System%\cipher.exe
    • %System%\cisvc.exe
    • %System%\ckcnv.exe
    • %System%\cleanmgr.exe
    • %System%\clean_all.exe
    • %System%\cliconfg.exe
    • %System%\clipbrd.exe
    • %System%\clipsrv.exe
    • %System%\cmd.exe
    • %System%\cmdl32.exe
    • %System%\cmmon32.exe
    • %System%\cmstp.exe
    • %System%\Com\comrepl.exe
    • %System%\Com\comrereg.exe
    • %System%\comp.exe
    • %System%\compact.exe
    • %System%\conime.exe
    • %System%\control.exe
    • %System%\convert.exe
    • %System%\cscript.exe
    • %System%\ctfmon.exe
    • %System%\dcomcnfg.exe
    • %System%\ddeshare.exe
    • %System%\defrag.exe
  • Notes:
    • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
  • The following directories were created:
    • c:\System Volume Information\.
    • c:\System Volume Information\..
    • %System%\COMPUTER

b. Memory Modifications

    • There were new processes created in the system:
    Process Name Process Filename Main Module Size
    [filename of the sample #1] [file and pathname of the sample #1] 1,540,096 bytes
    VRT2.tmp %Windir%\temp\vrt2.tmp 32,512 bytes
    n8jgk2.exe %Windir%\temp\n8jgk2.exe 176,128 bytes
    n8jgk2.exe %Temp%\n8jgk2.exe 176,128 bytes
    VRT4.tmp %Windir%\temp\vrt4.tmp 16,384 bytes
    • The following system services were modified:
    Service Name Display Name New Status Service Filename
    ALG Application Layer Gateway Service "Stopped" %System%\alg.exe
    SharedAccess Windows Firewall/Internet Connection Sharing (ICS) "Stopped" %System%\svchost.exe -k netsvcs
    wscsvc Security Center "Stopped" %System%\svchost.exe -k netsvcs

    c. Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
      • HKEY_CURRENT_USER\Software\BIFROST1.2
      • HKEY_LOCAL_MACHINE\SOFTWARE\Alexa Internet
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
        • m4b0m = "%Temp%\n8jgk2.exe"
        • cnen0m = "%Windir%\TEMP\4ikzhd.exe"

        so that n8jgk2.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • wuaucldt = "%System%\wuaucldt.exe"
        • aaaaaaaah = "%System%\aaaaaaaah.exe"

        so that wuaucldt.exe runs every time Windows starts
         
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
        • UpdateHost = 00 50 53 85 77 CE
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
        • ProxyEnable = 0x00000000
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
        • wuaucldt = "%UserProfile%\wuaucldt.exe"
        • aaaaaaaah = "%UserProfile%\aaaaaaaah.exe"

        so that wuaucldt.exe runs every time Windows starts
         
      • [HKEY_CURRENT_USER\Software\BIFROST1.2]
        • settings = 51 00 00 00 00 00 00 00 00 00 00 00 6D 79 70 61 73 73 00 00 00 00 00 00 00 00 00 00 61 64 64 6F 6E 73 2E 64 61 74 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00
      • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
        • PopupMgr = "no"
    • The following Registry Value was modified:
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
        • Cookies =
        • Cache =
        • History =

    d. Other details

    • The following ports were open in the system:
    Port Protocol Process
    81 TCP [file and pathname of the sample #1]
    1142 TCP VRT4.tmp (%Windir%\TEMP\VRT4.tmp)
    1143 TCP VRT4.tmp (%Windir%\TEMP\VRT4.tmp)
    • There were registered attempts to establish connection with the remote hosts. The connection details are:
    Remote Host Port Number
    109.72.122.165 443
    184.72.216.126 443
    193.23.48.228 443
    200.143.10.165 443
    200.234.223.237 443
    202.191.113.9 443
    210.165.4.71 443
    66.249.8.126 443
    77.120.110.76 443
    77.120.121.35 443
    173.192.153.178 80
    91.188.59.199 80
    • The data identified by the following URLs was then requested from the remote web server:
      • http://bb.iwillhavebigdick.com/kp.exe
      • http://ad.ghura.pl/rus.php

     

    3. How-to's

    a. How to prevent the  Constructor.Win32.Bifrose ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Constructor.Win32.Bifrose Manually?

    Step 1 : Stop the following Constructor.Win32.Bifrose processes
    [file and pathname of the sample #1]
    %Windir%\temp\vrt2.tmp
    %Windir%\temp\n8jgk2.exe
    %Temp%\n8jgk2.exe
    %Windir%\temp\vrt4.tmp
     

    Step 2 : Remove the following Constructor.Win32.Bifrose   registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    HKEY_CURRENT_USER\Software\BIFROST1.2
    HKEY_LOCAL_MACHINE\SOFTWARE\Alexa Internet
    The newly created Registry Values are:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
    m4b0m = "%Temp%\n8jgk2.exe"
    cnen0m = "%Windir%\TEMP\4ikzhd.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    wuaucldt = "%System%\wuaucldt.exe"
    aaaaaaaah = "%System%\aaaaaaaah.exe"

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
    UpdateHost = 00 50 53 85 77 CE
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    ProxyEnable = 0x00000000
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    wuaucldt = "%UserProfile%\wuaucldt.exe"
    aaaaaaaah = "%UserProfile%\aaaaaaaah.exe"

    [HKEY_CURRENT_USER\Software\BIFROST1.2]
    settings = 51 00 00 00 00 00 00 00 00 00 00 00 6D 79 70 61 73 73 00 00 00 00 00 00 00 00 00 00 61 64 64 6F 6E 73 2E 64 61 74 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
    PopupMgr = "no"
    The following Registry Value was modified:
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    Cookies =
    Cache =
    History =
     

    Step3: Locate and delete the following Constructor.Win32.Bifrose files

    %Temp%\26c4qxxw.tmp
    %Temp%\a2g93dk8.bat
    %Temp%\k1l6vskz.exe
    %Temp%\n8jgk2.exe
    %Windir%\Temp\n8jgk2.exe
    %UserProfile%\wuaucldt.exe
    %Windir%\svc2.exe
    [file and pathname of the sample #1]
    %System%\uroh8dy.log
    %System%\wuaucldt.exe
    %Windir%\Temp\BN5.tmp
    %Windir%\Temp\BN8.tmp
    %Windir%\Temp\VRT2.tmp
    %Windir%\Temp\VRT4.tmp

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•