Troj/Bifrose-KP

Category: Viruses and Spyware Protection available since:06 Jun 2006 00:00:00 (GMT)
Type: Trojan Last Updated:06 Jun 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Bifrose-KP is a backdoor Trojan for the Windows platform.

Troj/Bifrose-KP includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Bifrose-KP injects its code into Iexplorer.exe, in order to hide from the user and bypass some security applications.

When Troj/Bifrose-KP is installed it moves itself to the <Windows system folder>\mysql.exe s file and creates the following files:

<Windows system folder>\drivers\oreans32.sys
<Windows system folder>\plugin1.dat
<Windows system folder>\SysPr.prx

where oreans32.sys is a component of a legitimate executeable file protection system and in itself is not malicious, plugin1.dat and SysPr.prx are data files with hidden file attributes.

The file oreans32.sys is registered as a new system driver service named
"oreans32", with a display name of "oreans32". Registry entries are created
under:

HKLM\SYSTEM\CurrentControlSet\Services\oreans32\

The following registry entries are created:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(9B71D88C-C598-4935-C5D1-43AA4DB90836)\stubpath
<Windows system folder>\mysql.exe s

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mysql
<Windows system folder>\mysql.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mysql
<Windows system folder>\mysql.exe

Registry entries are created under:

HKCU\Software\Wget\klg

HKCU\Software\Wget\plg1

HKLM\SOFTWARE\Wget\nck

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy