McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Win32.Bifrose.a - Kaspersky

• Bck/Bifrose.AP - Panda

• Troj/Bckdr-CEP - Sophos

• W32/Bifrose.A - Norman

Characteristics

-- Update Julne 06, 2008 --

A new variant was recently discovered to spread via email spam.

Upon execution, it drops a temp text file:

%USER_PROFILE%\Local Settings\Temp\Message

(where %USER_PROFILE% is the current user's default profile folder, for example C:\Documents and Settings\Administrator if the current user is Administrator.)

and opens it with notepad.exe.

It drops its copy into system folder:

%WinDir%\system32\ali.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It creates the following registry keys to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1}\StubPath: "%WinDir%\System32\ali.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*andk: "%WinDir%\System32\ali.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\andk: "%WinDir%\System32\ali.exe"

It also creates the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\bnhide: "2836|ali.exe|andk|443|x|"

It attempts to connect with a remote server to download malwares:

hxxp://www.sex.com/[removed] 

It may attempt to spread itself via email.

-- Update July 14, 2006 --
There are now more than 200 known variants of this backdoor.  A recent zero-day Exploit-PPT.b trojan was found that drops a new variant of BackDoor-CEP as REGVRT.EXE.  Detection for these trojans will be included in the 4807 DAT files.

-- Update December 31, 2005 --
There are now more than 80 known variants of this backdoor in existence.  A recent Exploit-WMF mass-spamming resulted in the installation of another new variant, which is detected with the 4664 DAT files.

Backdoor-CEP is a Backdoor Trojan consisting of a server component, a server editor component and a client component.

This description is for the server component of Backdoor-CEP.

Server Component:

When the server component is executed, the Trojan drops the following files:

• C:\Winnt\system32\Trojan.exe
  Size: 15,023 bytes

Once running, the server component connects to a predefined IP address on TCP port 2000, awaiting commands from the attacker using the client component.

Miscellaneous information:

• Software based firewall, if any on the machine might not alert about the Trojan trying to connect to the Internet. This is because; the Trojan uses the Internet Explorer to connect to the Internet
• The authors intended name for this Trojan in Bifrost

Symptoms

• Presence of the files mentioned above
• Unexplained activity on the victim's machine indicative of someone having remote access via the client component

Method of Infection

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

-

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Win32.Bifrose.a - Kaspersky

• Bck/Bifrose.AP - Panda

• Troj/Bckdr-CEP - Sophos

• W32/Bifrose.A - Norman

Characteristics

Characteristics -

-- Update Julne 06, 2008 --

A new variant was recently discovered to spread via email spam.

Upon execution, it drops a temp text file:

%USER_PROFILE%\Local Settings\Temp\Message

(where %USER_PROFILE% is the current user's default profile folder, for example C:\Documents and Settings\Administrator if the current user is Administrator.)

and opens it with notepad.exe.

It drops its copy into system folder:

%WinDir%\system32\ali.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It creates the following registry keys to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1}\StubPath: "%WinDir%\System32\ali.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*andk: "%WinDir%\System32\ali.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\andk: "%WinDir%\System32\ali.exe"

It also creates the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\bnhide: "2836|ali.exe|andk|443|x|"

It attempts to connect with a remote server to download malwares:

hxxp://www.sex.com/[removed] 

It may attempt to spread itself via email.

-- Update July 14, 2006 --
There are now more than 200 known variants of this backdoor.  A recent zero-day Exploit-PPT.b trojan was found that drops a new variant of BackDoor-CEP as REGVRT.EXE.  Detection for these trojans will be included in the 4807 DAT files.

-- Update December 31, 2005 --
There are now more than 80 known variants of this backdoor in existence.  A recent Exploit-WMF mass-spamming resulted in the installation of another new variant, which is detected with the 4664 DAT files.

Backdoor-CEP is a Backdoor Trojan consisting of a server component, a server editor component and a client component.

This description is for the server component of Backdoor-CEP.

Server Component:

When the server component is executed, the Trojan drops the following files:

• C:\Winnt\system32\Trojan.exe
  Size: 15,023 bytes

Once running, the server component connects to a predefined IP address on TCP port 2000, awaiting commands from the attacker using the client component.

Miscellaneous information:

• Software based firewall, if any on the machine might not alert about the Trojan trying to connect to the Internet. This is because; the Trojan uses the Internet Explorer to connect to the Internet
• The authors intended name for this Trojan in Bifrost

Symptoms

Symptoms -

• Presence of the files mentioned above
• Unexplained activity on the victim's machine indicative of someone having remote access via the client component

Method of Infection

Method of Infection -

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

-

Variants

Variants -

N/A