Home / malwarePDF  

Backdoor.Bifrose.AAJX


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Backdoor.Bifrose.AAJX is also known as Win32/Injector.gen!Y.

Explanation :

Backdoor.Bifrose.AAJX is a backdoor that provides unauthorized remote access to an infected computer. It hides itself by injecting malicious code into the memory of Internet Explorer's process and killing its own process.

This backdoor allows the attacker to retrieve information about the compromised system, such as special folder paths, recently installed applications, keyboard layout information, foreground window on which the user is currently working etc. All this information is sent through a background Internet connection to a remote server self intitulated as "Bifrost Remote Controller" which is able to gain control over the infected computer based on this information. It is also capable of sending commands which are executed on the computer. Examples of such commands are: init, f1, f2, eplgn, gen, gs, tor, torInit, torConnect, torRead, torWrite. The last commands containing the tor substring might execute functions of a previously installed software application named Tor, useful for defending against network surveillance, and therefore hiding the traces of the remote addresses visited by the backdoor.

Backdoor.Bifrose.AAJX is also a keylogger, recording keystrokes a user types on the computer's keyboard, in this way being able to steal sensitive personal information, such as passwords, login names, identity details.

It attempts to hide from detection by looking for the existence of security related processes and deletes registry entries related with firewalls and antivirus software. Among the security related processes searched by this backdoor are: cpf.exe, umxtray.exe, kav.exe, kavsvc.exe.

Last update 21 November 2011

 

TOP