Home / malware Backdoor:Win32/Bifrose.IQ
First posted on 13 May 2013.
Source: MicrosoftAliases :
Backdoor:Win32/Bifrose.IQ is also known as Win32/Kryptik.AAHE (ESET), Backdoor.Win32.Bifrose (Ikarus), Mal/Behav-043 (Sophos), Mal_OtorunN (Trend Micro), TR/Strictor.500.1 (Avira), Worm/Win32.AutoRun (AhnLab).
Explanation :
Installation
When run, Backdoor:Win32/Bifrose.IQ drops a copy of itself with the file name cachemgr.exe, under the directory c:\setup.
Backdoor:Win32/Bifrose.IQ modifies the following registry entries to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\2CBE016A-8F28-4E0C-83A6-6079161294D7
Sets value: StubPath
With data: C:\setup\cachemgr.exe -ax
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: StubPath
With data: C:\setup\cachemgr.exe -as
The trojan also creates a text file with the name csetup.txt in the C:\setup folder. This text file contains the dates that the trojan is run.
Payload
Performs distributed denial of service (DDoS) attacks
Backdoor:Win32/Bifrose.IQ attempts to use your computer to perform distributed denial of service (DDoS) attacks against certain IT companies.
Downloads other files (which may be malware)
When installed on your computer, Backdoor:Win32/Bifrose.IQ attempts to access and download files from secure-system-updates.net/<removed>/system/update.php. The URL is no longer available, so we are unable to confirm the nature of the downloaded files.
Additional information
Backdoor:Win32/Bifrose.IQ creates the following mutexes, possibly as an infection marker to prevent multiple instances running on your computer:
- 2CBE016A-8F28-4E0C-83A6-6079161294D7
- Bif123
Analysis by Justin Kim
Last update 13 May 2013
