Troj/Bifrose-ZI belongs to the Bifrost family of backdoor Trojans. Once installed, Troj/Bifrose-ZI will install a server on a randomly assigned port awaiting commands from a remote intruder.
With access to the infected computer, the remote intruder can proceed to perform a variety of malicious activities.
These include:-
- Downloading files/code from the internet
- Harvesting information from the infected computer
- Using the infected computer as part of a zombie botnet network
- Using the infected computer to spread malware to other computers
In this instance, Troj/Bifrose-ZI was compiled using the Visual Basic compiler. Troj/Bifrose-ZI also includes common encryption and obfuscation techniques in a futile attempt to obfuscate/hide the code from security analysts.
When run Troj/Bifrose-ZI copies itself to <System>\Bifrost\server.exe and sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
server.exe
<System>\Bifrost\server.exe
By installing under this registry entry, this allows the Trojan to start automatically everytime when Windows starts up.
Troj/Bifrose-ZI was first detected by SophosLabs analysts manifesting itself on a download website purporting to be a free HTML editor.