Backdoor.Bifrose

The constant threat: viruses, trojans, spyware, ... the list goes on

Backdoor.Bifrose

Post by Muskelmann098 on Mon Feb 02, 2009 9:53 am
([msg=17265]see Backdoor.Bifrose[/msg])

Hey all!
I'm new to hacking, but I hope I'll be able to learn a lot from this site. It absolutely seems like it's one of the most professional ones out there and a really good source of information for people who are willing to learn.

Anyway, my real problem is that I've been attacked by a Backdoor.Bifrose Trojan at least three times. On one of my laptops I have an anti-virus that takes care of it as soon as it starts running, but my other laptop's anti-virus doesn't find any problems. The symptoms I got on that one matches the description of the Bifrose symptoms, so I'm assuming that's the little fu*ker that messed it up. So after doing a little research I'm able to track it back to some Ahole in Shanghai, China. However, knowing who fu*ked me up doesn't really help me protect myself, so if anyone has any suggestions on how this Trojan entered my computer, I'll be very grateful.

And just so you know, I'm a careful guy. I don't download random crap and I use the WOT (Web of Trust) addon for Firefox.

All help is appreciated. Thanks a lot :)
Muskelmann098
Experienced User
Experienced User
 
Posts: 78
Joined: Mon Feb 02, 2009 9:39 am
Blog: View Blog (0)


Re: Backdoor.Bifrose

Post by Andomis on Mon Feb 02, 2009 10:14 am
([msg=17266]see Re: Backdoor.Bifrose[/msg])

Information on the Trojan:

Discovered: February 27, 2006
Updated: February 13, 2007 12:51:34 PM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Backdoor.Bifrose.E is executed, it performs the following actions:

Copies itself as one the following files:


C:\pligde.exe
%UserProfile%\Local Settings\pligde.exe
%UserProfile%\Local Settings\pligde.dat
%UserProfile%\Local Settings%\SysPr.prx
%System%\wmedia
%System%\wmedia.exe
%Windir%\explorer..exe
%Windir%\plugin1.dat

Note:
%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).


Adds the value:

"stubpath" = "[PATH TO TROJAN]\pligde.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}

so that it runs every time Windows starts.

Note: The [PATH TO TROJAN] variable corresponds to one of the two paths where the copy of the Trojan was dropped.


Adds the value:

"StubPath" = "[PATH TO TROJAN]\wmedia.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
\{0002BB0C-D318-FD27-0505-050505040105}

so that it runs every time Windows starts.


Adds the value:

"stubpath" = "[PATH TO TROJAN]\explorer..exe s"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
\{9B71D88C-C598-4935-C5D1-43AA4DB90836}

so that it runs every time Windows starts.


Adds the value:

"StartKey" = "[PATH TO TROJAN]\pligde.exe"
"MSN Messenger" = "[PATH TO TROJAN]\explorer..exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.


Hides its presence on the compromised computer by creating a new Internet Explorer instance and injecting itself into this process. All of the subsequent actions the Trojan performs will appear to be performed by this process.


Creates the following registry subkeys in order to store information:

HKEY_CURRENT_USER\SOFTWARE\SKav
HKEY_LOCAL_MACHINE\SOFTWARE\SKav
HKEY_LOCAL_MACHINE\SOFTWARE\Wget
HKEY_CURRENT_USER\Software\Wget


Opens a back door on the compromised computer by using Internet Explorer to connect to the following server on TCP port 1863:

210.71.186.43

This allows a remote attacker to send and execute shell commands, which enable the attacker to perform various unauthorized actions on the compromised computer.


Periodically attempts to access the following Web site:

taipei2002.9966.org


Steals the keys or serial numbers of the following games, if they are installed on the compromised computer:


Hidden & Dangerous 2
Chrome
NOX
Command and Conquer: Red Alert 2
Command and Conquer: Red Alert
Command and Conquer: Tiberian Sun
Rainbow Six III RavenShield
Nascar Racing 2003
Nascar Racing 2002
NHL 2003
NHL 2002
FIFA 2003
FIFA 2002
Shogun: Total War: Warlord Edition
Need For Speed: Underground
Need For Speed Hot Pursuit 2
Medal of Honor: Allied Assault: Spearhead
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault
Global Operations
Command and Conquer: Generals
James Bond 007: Nightfire
Command & Conquer: Generals Zero Hour
Black and White
Battlefield Vietnam
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: Road To Rome
Battlefield 1942
Freedom Force
IGI 2: Covert Strike
Unreal Tournament 2004
Unreal Tournament 2003
Soldiers Of Anarchy
Legends of Might and Magic
Industry Giant 2
Half-Life
Gunman Chronicles
The Gladiators
Counter-Strike (Retail version)


Logs keystrokes, and may steal the following sensitive information:


ICQ user and password
Protected Storage passwords
cached passwords
visited URLs


Stores any information it gathers or steals in the following file:

%UserProfile%\Local Settings%\SysPr.prx

The Trojan is able to send this information to a remote server.


Removal:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-022716-2959-99&tabid=3 **Highly Safe link**

(**Sources: symantec.com**)

As for it getting on your computer, it could be packaged in any programs you have downloaded. Your computers could have been infected by another viruses that spreads on its own that downloads this as a bit-download (background download like windows updates). Your network might be infected or compromised. I would suggested resetting your routers and re-setting them up with new passwords (stronger possibly), then remove the trojan from the infected machines. Do the removal on both, even if it doesnt appear on the other- it might be carrying it.

Got to run to class, but let me know if you need more help.

Alive,
Andomis
"I'm choking on that four letter word, it sticks in my throat as i read the words YOU wrote..."
User avatar
Andomis
Experienced User
Experienced User
 
Posts: 75
Joined: Thu Oct 23, 2008 8:50 pm
Blog: View Blog (0)


Re: Backdoor.Bifrose

Post by Muskelmann098 on Mon Feb 02, 2009 11:48 am
([msg=17268]see Re: Backdoor.Bifrose[/msg])

Thanks for your help Andomis. About getting it of my computer, the one that has the Anti-virus (AVG FREE) locks it up in the virus vault immediately when the Trojan activates, however the one without AVG (but with an old Norman anti-virus) did have some serious start-up issues yesterday. I finally got it back up after restarting in safe mode. It came up with some error messages when it was loading, but after that it worked. Do you think this means I got rid of it?

Also, I do not have any password security on the wireless network ( I know it's stupid, but I do regular scans to see who i using the router and I've never seen anyone who I don't know who is.) Anyway, do you think that the virus is traveling inside the network and maybe infecting any computers I connect? If so, what should I do to kick it out?
Muskelmann098
Experienced User
Experienced User
 
Posts: 78
Joined: Mon Feb 02, 2009 9:39 am
Blog: View Blog (0)


Re: Backdoor.Bifrose

Post by Andomis on Tue Feb 03, 2009 9:40 am
([msg=17311]see Re: Backdoor.Bifrose[/msg])

You need to password protect your network, reset the routers- put new passwords, add mac address filtering if you like.

Get better antivirus/antispyware.
I would suggest downloading:
Spybot-search and destroy (antispyware)
Ad-aware antivirus (antivirus with some antispyware)
AVG Antivirus and Antispyware (antivirus/spyware)
A form of Symantec if possible (trojan remover/antivirus)

Be sure to run windows updates first, and turn off system restore (turn back on after all scans and stuff have been done).

Get the latest virus definitions for each software and run them all as administrators in safemode. Run each until no viruses show up. If any remain- find how to manually remove them (like shown in my last post).

Reload your machines if you are unable to properly remove the trojan, and probably other trojans. You might of had a trojan bomb (download 1 trojan, and it downloads like 20 others off it).

Ask for help if you need it.

Alive,
Andomis
"I'm choking on that four letter word, it sticks in my throat as i read the words YOU wrote..."
User avatar
Andomis
Experienced User
Experienced User
 
Posts: 75
Joined: Thu Oct 23, 2008 8:50 pm
Blog: View Blog (0)


Re: Backdoor.Bifrose

Post by Muskelmann098 on Tue Feb 03, 2009 11:46 am
([msg=17320]see Re: Backdoor.Bifrose[/msg])

Thanks a lot! You've helped me a great deal.
Muskelmann098
Experienced User
Experienced User
 
Posts: 78
Joined: Mon Feb 02, 2009 9:39 am
Blog: View Blog (0)


Re: Backdoor.Bifrose

Post by xcurious on Tue Feb 03, 2009 9:02 pm
([msg=17347]see Re: Backdoor.Bifrose[/msg])

get yourself a cracked copy of nod32

disclaimer: for education purposes only
- Apologies to all who I have flamed in the past. Thanks mods for unbanning me.


ckw100 wrote:so i have been pacticeing my batch file hacking for networks
xcurious
Experienced User
Experienced User
 
Posts: 79
Joined: Sun Sep 21, 2008 3:49 pm
Blog: View Blog (0)


Re: Backdoor.Bifrose

Post by Muskelmann098 on Wed Feb 04, 2009 10:23 am
([msg=17377]see Re: Backdoor.Bifrose[/msg])

I've heard a lot of good stuff about NOD, but as long as AVG detects all the bad stuff, I'm happy. In addition to AVG I use Spybot Search and Destroy, so I'm guessing they make a pretty good team together.

Thanks for looking into it anyway ;)
Muskelmann098
Experienced User
Experienced User
 
Posts: 78
Joined: Mon Feb 02, 2009 9:39 am
Blog: View Blog (0)


Re: Backdoor.Bifrose

Post by xcurious on Thu Feb 05, 2009 5:24 pm
([msg=17431]see Re: Backdoor.Bifrose[/msg])

I use Spybot Search and Destroy

that is complete shit, just so you know.
- Apologies to all who I have flamed in the past. Thanks mods for unbanning me.


ckw100 wrote:so i have been pacticeing my batch file hacking for networks
xcurious
Experienced User
Experienced User
 
Posts: 79
Joined: Sun Sep 21, 2008 3:49 pm
Blog: View Blog (0)


Re: Backdoor.Bifrose

Post by Andomis on Mon Feb 09, 2009 8:21 pm
([msg=17586]see Re: Backdoor.Bifrose[/msg])

xcurious wrote:
<BR>I use Spybot Search and Destroy<BR>
<BR>that is complete shit, just so you know.


Funny comment... it is actually quite good, try it first, then come say that- it has a decently large spyware definition and gets updated almost weekly. Plus it has a very good turn around removal rate- it almost never not remove what it finds the first time- just be sure as a vista user to run it as administrator, and obviously in safe mode for any win.x.
"I'm choking on that four letter word, it sticks in my throat as i read the words YOU wrote..."
User avatar
Andomis
Experienced User
Experienced User
 
Posts: 75
Joined: Thu Oct 23, 2008 8:50 pm
Blog: View Blog (0)


Re: Backdoor.Bifrose

Post by xcurious on Fri Feb 13, 2009 7:01 pm
([msg=17837]see Re: Backdoor.Bifrose[/msg])

try it first,

i have
then come say that

it is complete shit.
- Apologies to all who I have flamed in the past. Thanks mods for unbanning me.


ckw100 wrote:so i have been pacticeing my batch file hacking for networks
xcurious
Experienced User
Experienced User
 
Posts: 79
Joined: Sun Sep 21, 2008 3:49 pm
Blog: View Blog (0)


Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests