Virus:BDS/Improg.2
Date discovered:03/01/2006
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:39.423 Bytes
MD5 checksum:886f3af525142488e4ad06a812755af5
VDF version:6.29.00.9

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: BackDoor-CEP
   •  Kaspersky: Backdoor.Win32.Bifrose.kt
   •  TrendMicro: BKDR_BIFROSE.CI

 Files It copies itself to the following location:
   • %SYSDIR%\nerodll.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed COmPonents\
   {8B75D81C-C498-4935-C5D1-43AA4DB90836}]
   • stubpath = %SYSDIR%\nerodll.exe s



The following registry keys are added:

– [HKLM\SOFTWARE\Wget]
   • nck=hex:93,4e,16,04,67,03,2d,60,b4,3c,2a,5e,33,34,72,00,a3,78,26,35,57,32,2d,60,b4,3c,2a,5e,33,34,72,00

– [HKCU\SOFTWARE\Wget]
   • klg = hex:00

 Backdoor Contact server:
The following:
   • flashflashmx.3322.org

As a result remote control capability is provided.

 Injection – It injects itself into a process.

    A process registered under the followowing registry key:
   • [HKLM\SOFTWARE\Classes\HTTP\shell\open\Command]

   If the malware fails, it continues running as a process.

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Andrei Gherman on Tuesday, January 3, 2006
Description updated by Andrei Gherman on Monday, February 20, 2006

Back . . . .