Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/Bifrose.dxus
Date discovered:21/06/2011
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:154.124 Bytes
MD5 checksum:32BCC9CA9A4889C6D583F53F3B5F67D5
VDF version:7.11.10.42 - Tuesday, June 21, 2011
IVDF version:7.11.10.42 - Tuesday, June 21, 2011

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Symantec: W32.IRCBot.NG
   •  Kaspersky: Backdoor.Win32.Bifrose.dxus
   •  Microsoft: Worm:Win32/Dorkbot.A


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • C:\Documents and Settings\%current username%\Application Data\%random character string%.exe



It deletes the initially executed copy of itself.

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="C:\Documents and Settings\%current username%\Application Data\%random character string%.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: **********smynew2.info
Port: 1863
Channel: %random character string%

Server: **********smynew.info
Port: 1863
Channel: %random character string%



– This malware has the ability to collect and send information such as:
    • Username
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Join IRC channel
    • Leave IRC channel
    • Start spreading routine

 Process termination Processes with one of the following strings are terminated:
   • APVXDWIN.EXE; AVENGINE.EXE; AVGNT; AVGUARD; AVGUARD.EXE; AVP.EXE;
      F-PROT95; FAMEH32; FSGK32; FSMA32; ISSVC; KAVPF; MCAGENT; MCUPDATE;
      NOD32; PAVFNSVR; PAVSRV; PCTAV; PSIMSVC; VRMONNT; VSSERV


 Backdoor The following port is opened:
on TCP port 445 As a result it may send information and remote control could be provided.

 Miscellaneous Accesses internet resources:
   • api.wipmania.com


Anti debugging
It checks for running programs that contain one of the following strings:
   • FILEMON
   • FSAUA
   • OLLYDBG
   • REGMON


 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ilie on Thursday, October 6, 2011
Description updated by Andrei Ilie on Monday, October 10, 2011

Back . . . .