My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Bifrose.AAJX

VERY LOW
MEDIUM
204 KB
(Win32/Injector.gen!Y)

Symptoms

-presence of Internet Explorer process with hidden window, visible in Task Manager

-presence of the following registry keys:                                                         

  • HKEY_CURRENT_USER\SOFTWARE\nck
  • HKEY_CURRENT_USER\SOFTWARE\klg
  • HKEY_CURRENT_USER\SOFTWARE\delay                    

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Roxana Gherle, virus researcher

Technical Description:

Backdoor.Bifrose.AAJX is a backdoor that provides unauthorized remote access to an infected computer. It hides itself by injecting malicious code into the memory of Internet Explorer's process and killing its own process.

This backdoor allows the attacker to retrieve information about the compromised system, such as special folder paths, recently installed applications, keyboard layout information, foreground window on which the user is currently working etc. All this information is sent through a background Internet connection to a remote server self intitulated as "Bifrost Remote Controller" which is able to gain control over the infected computer based on this information. It is also capable of sending commands which are executed on the computer. Examples of such commands are: init, f1, f2, eplgn, gen, gs, tor, torInit, torConnect, torRead, torWrite. The last commands containing the tor substring might execute functions of a previously installed software application named Tor, useful for defending against network surveillance, and therefore hiding the traces of the remote addresses visited by the backdoor.

Backdoor.Bifrose.AAJX is also a keylogger, recording keystrokes a user types on the computer's keyboard, in this way being able to steal sensitive personal information, such as passwords, login names, identity details.

It attempts to hide from detection by looking for the existence of security related processes and deletes registry entries related with firewalls and antivirus software. Among the security related processes searched by this backdoor are: cpf.exe, umxtray.exe, kav.exe, kavsvc.exe.