A new virus acquires codes for gaming software

The main purpose of the Bifrose.E Trojan is to open a backdoor on the systems and leak confidential data to attackers through it.

The Bifrose.E Trojan is capable of obtaining confidential data in several ways. It primarily uses the keyboard monitoring component to collect as much data as possible about infected systems. It forwards the information obtained to the attackers in a predetermined manner. In addition, it opens a backdoor through which it provides unauthorized remote access to infected systems. The Trojan tries to find serial numbers for some predefined game software. Bifrose.E tries to hide the processes running on your computer by infecting Internet Explorer.

When Bifrose.E starts, it performs the following actions:

1. Copy yourself as follows:
% UserProfile% \ Local Settings \ pligde.exe
C: \ pligde.exe

2. The registration database
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components
\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}
adds to your key
“stubpath” = “[path to the trojan]\pligde.exe”.

3. The registration database
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentV ersion \ Run
adds to your key
“StartKey” = “[path to trojan]\pligde.exe”.

4. Attempts to infect Internet Explorer processes. If this succeeds, it will not be visible in Windows Task Manager.

5. Create the following keys in the registry:
HKEY_CURRENT_USER \ SOFTWARE \ SKav
HKEY_LOCAL_MACHINE \ SOFTWARE \ SKav

6. Open a backdoor on TCP port 1863 through which attackers can run various commands.

7. At regular intervals, try to connect to the following website:
taipei2002.9966.org

8. Try to get serial numbers for different games:

9. It continuously logs keystrokes and stores the collected information in the following file:
% UserProfile% \ Local Settings% \ SysPr.prx
It sends this file to a remote server.