|
Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Vista. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor). The visual indication of its infection is a folder named Bifrost on the infected computer.
Variation1) see the threatexpert report
Aliases: SecurityRisk.Downldr [Symantec]
Trojan.Win32.Midgare.mqa [Kaspersky Lab]
Mal/HckPk-A [Sophos]
Virus.Win32.Crypt.CIK [Ikarus] Variation2) see the threatexpert report
Capability to terminate Antivirus, Firewall and other security related processes.
Aliases: Constructor.Win32.Bifrose.j [Kaspersky Lab]
Backdoor:Win32/Bifrose.gen!B [Microsoft]
Virus.Win32.Bifrose [Ikarus]
Variation3) see the threatexpert report
Aliases: BackDoor-CEP.svr [McAfee]
Virus.Win32.Poison [Ikarus] Preparation
Search for and keep the windows operating system disk ready, if you got one with your computer. Or check if there is a Restore Partition on your hard disk, in that case you won't require an extra disk. It is advisable to have a functioning antivirus application on your computer. You will also need to install CCleaner, and a Firewall application, you can choose one of the firewall applications listed at the end of this article. Turn System Restore Off/On
Turn system restore off :This is necessary in order to remove the virus files that may be stored inside the system restore backup files, you can turn it back to ON after the computer is cleaned in XP : start > all programs > accessories > system tools > system restore > system restore settings , uncheck the box that says "turn system restore off" Press Apply, press ok. in Vista : type system in the search box, select the system option, click on system protection tab. Uncheck the system restore on the C drive, press Apply , Press ok (it will prompt you that you are turning system protection off , press that button to do so) Removing the process from Task Manager
Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for a process server.exe. Select it and press the End Process button. It will prompt you, press yes, and then close the Task Manager. If you use a freeware tool called "Zenturi program checker" You may be able to see the path of a process in the task manager, and from the list of malware files given in this article you may be able to locate the malware processes from windows genuine processes . Using System Configuration Utility
The system configuration utility can be started in xp and in vista by typing msconfig in the run box. The run box can be opened in xp by clicking on Start > run After the system configuration utility window is open, Click on the Startup tab, that will list all the programs that are scheduled to start when you turn your computer On. Expand the middle column using your mouse pointer so that you can see the path of the program on the hard disk, that will give you a clear idea, what program that is. Locate and uncheck if you find an entry of "C:\Program Files\Bifrost\server.exe" "C:\Windows\Bifrost\server.exe" or any of the malware files listed in this article. This step is very important. The further cleaning depends on cleaning this list. Press Apply , Press Close/Ok , at the next prompt select "Restart the computer". Searching andd Deleting the Folders / files on the hard disk
After restarting the computer, use the windows search utility to search for Bifrost. This search will find all its folders on the hard disk , delete the folders from the hard disk. You may find the folder in more than one location. Delete its all instances.There are some more files other than this directory. You may need to enable to view hidden files and folders if you can not see the folders listed below. In XP, Control panel > Folder options > View . Locate "Hidden Files and Folders", select "View hidden files and folders" , press Apply, press ok. Delete these files only from the location below, because there are windows system files of the same names. Variation1)
Created the following folder (delete it)
C:\Program Files\Bifrost\
Variation2)
C:\Windows\System32\Computers Variation3)
C:\Windows\Bifrost Manually Editing Registry
You can edit the registry by using the windows built in registry editor. Click on Start > Run to open the run command box in XP, whereas in Vista the box is already open. type regedit and press Enter or Ok , that will open the registry editor. Now Click on Edit > Find. You can use this box to find a particular registry key/ value. In order to do that, copy the last part of the registry keys if they are inside curly braces {}, after the last / (forward slash) and then paste it into this box, or type in the name of the malware in the box and press "Find Next", if the search stops , you should either see a message saying "Finished searching through the registry"or it will stop at that key found. The found item will be displayed in blue selection. You can delete the entire key, that is the entry in the left side of the panel, once you confirm yourself that this key belongs to the malware by looking at the entire key and comparing it with the ones listed here, and by looking at the values that it has created in the right side of the panel. In case you are not sure if you want to remove the key, you can remove the values in the right side panel instead, that will also cripple the functioning of the malware. To delete a key/ value, use the mouse pointer to select it first, then right click on it to see a menu and select delete from it, then say yes to the confirmation alert. Alternately you can press the delete key on the keyboard to delete the selected entry. You can also use the names of the files / folders created by the malware to search for their associated keys in the registry. Once you have deleted an entry, press the F3 key on the keyboard to search for the next occurance of the entry, do this till you reach the end of the registry. Now copy the second registry key/ filename and repeat the above procedure. This is a tedious process and takes time and effort, but there is no better way to make sure the malware is out of your computer. These registry entries may be found on an infected computer. Delete them if found. Variation1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\�ctive Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\�ctive Setup\Installed Components
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\�ctive Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Bifrost
Variation2)
HKEY_CURRENT_USER\Software\BIFROST1.2
Variation3)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Bifrost
It is important to remove these keys manually as they may not be automatically removed by using ccleaner Using CCleaner
Install CCleaner : CCleaner is a freeware temp files and registry cleaner. We need to use this type of software because almost all the infection that occur through internet, come through the temp files, and unfortunately windows does not remove temp files automatically. The best way to manage this is to install ccleaner (from ccleaner.com or from one of the several download links provided on their sites, such as filehippo.com etc) - set it so that it runs automatically with windows start
(options > settings> Run Ccleaner when computer starts)
-add recycle bin
Cleaner > Advanced > check the box "Custom files and folders"
Options > Include > Add Folder
browse and select C:\RECYCLER or C:\RECYCLED in XP or C:\$Recycle Bin (in Vista)
(adding the recycle bin to the ccleaner helps a great deal, that will automatically remove the files from the recycle bin, it is necesary for your protection, because the latest security threats add virus files inside the recycle bin which are executed when the computer restarts. ) Run the Cleaner and the registry menus in CCleaner. One thing to be pointed here is that the automatic running of ccleaner, runs only one menu in it , that is the Cleaner. You will also need to run the second menu called Registry once in a while, particularly if you are trying to remove a virus from your computer. Using the Antivirus Application
Follow this step, if even after applying all the above steps, the virus still shows its presence in the computer. Your best helper is the antivirus program on your computer. Keep it always updated. Install another freeware application if your antivirus has expired or is not upto your expectation. Anyway you can keep the antivirus on your computer and also install another one. I will tell you how to . I have been successfully using the Avast Home Edition Antivirus installation to remove most of the infections. Here is what you need to do. Open the system configuration utility. Click on start > run , type msconfig, press ok, select the startup tab, expand the middle column, locate the entry of your antivirus application, and uncheck it, press apply, press OK/Close, Exit without restarting. Now Download and install the Avast Antivirus Home edition from avast website. Keep your computer connected to internet so that it can update itself during installation. Run the installer, selet the option to "Schedule a boot scan during startup", now it will prompt you to restart the computer. During the boot scan, it will detect the viruses an prompt you for action, select delet/delete All, as you see appropriate. Let it complete the scan and start your computer.
once the viruses are removed you can uninstall Avast antivirus, if you decide to stick with your antivirus. In that case, go to startup and check the box of your antivirus in the list, press apply, press ok/close and restart the computer.
If you decide to keep Avast and your antivirus both together, keep only one entry checked in the startup list, so that only one antivirus is active at any given time. You can use the other antivirus whenever you want, simply by turning off the running antivirus and then opening the other one. As long as you run one antivirus at a time, you can have as many antivirus programs on your computer as you want.
If you decide to use Avast alone, you can uninstall your antivirus application, if it was a demo version, or a commercial version which is not updating anymore because you have not paid for the yearly subscription, in that case it is better to uninstall the antivirus. If you decide to keep Avast Home edition antivirus, do not forget to fill in the registration form on their website, on the same page where you downloaded it. You need to fill in your email ID, avast will mail you the product activtion key. The activation lasts for one year, and can be updated for free again. I have been using it since more than a year now, and it has been good so far. Using the system file checker (optional) Follow this step if you notice trouble in the normal functioning of windows.
Click on start > run , type cmd , press Ok. That should open the command prompt
Now type sfc /scannow and press enter. If you do not have a restore partiton it will prompt you to insert the windows installation/ operating system disk, you need to use only the disk that came with your computer, or the one that you used to installed windows on your computer, other disks will be rejected, and also if you have installed SP3 on xp , then you will see that several files are missing, in that case go on pressing Ignore each time you get a "file missing" prompt. This utility will check and replace the damaged/ altered or missing system files. It is a necessary step. If you are unable to access one or more sites during the repair process
- if possible use another computer to download the software needed for repairing your computer, and then copy and transfer it to the infected computer using any available means like a pen drive.
- if you are using only internet explorer, and if it is blocked from visiting some of the security related sites, try to download/ install Firefox browser, and see if you can use it for the same purpose. Blocking connections in firewall Variation2) It attempts to connect to remote host at "imsystem.homeftp.net" on port 81. Block it in the firewall.
Variation3) It attempts to connect to remote host "sweetkhd.no-ip.biz" at port 81. Block it. (Reference with permission from ThreatExpert)
|
