Threat behavior
Backdoor:Win32/Bifrose.HM is a trojan that connects to a remote server to allow an attacker to perform backdoor commands.
Installation
Backdoor:Win32/Bifrose.HM drops a copy of itself in the computer as the following:
- %windir%\ime\imjp9_2\services.exe
It also creates the following file as part of its installation routine:
Backdoor:Win32/Bifrose.HM creates the following registry to install its copy:
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{60118319-DCF2-4A87-5901-C86805E8CADF}
Sets value: "stubpath"
With data: "%windir%\ime\imjp9_2\services.exe s"
It also creates the following registry values as part of its installation routine:
In subkey: HKLM\SOFTWARE\Windows Data
Sets value: "nck"
With data: "íæ¹ötíú["
Sets value: "klg"
With data: "1"
Payload
Allows backdoor access and control
Backdoor:Win32/Bifrose.HM connects to the remote server "akamaitechzone.3utilities.com" to allow a remote attacker to gain backdoor access and control of the infected computer.
Analysis by Daniel Radu
Prevention
