[INFO]
AnalystName=Swarna Latha V.G.		
AnalystEMailID=swarnalatha.gopinathan@comodo.com
Team=India
Date=04-MAR-2010
Type=TrojWare	
Platform=Win32
SubType=
Family=Zmunik
Variant=

[OVERVIEW]
Zmunik variants are threat alias of well known malware Backdoor.Win32.Bifrose. Most of the variants are crypted.


[TECHNICAL_DESCRIPTION]
Registry Keys Added:
	HKLM\SOFTWARE\Bifrost
	HKU\%SID%\Software\Bifrost
Registry Values Added:
	HKLM\SOFTWARE\Bifrost\nck: ED 1B E6 27 B9 28 D6 32 74 C3 CD 74 FA 93 5B 67
	HKU\%SID%\Software\Bifrost\klg: 01
Files Added:
	%ProgramFiles%\Bifrost\llog.dat
	%ProgramFiles%\Bifrost\server.exe
Once executed malware tries to connect to a unknown websites like poys.no-ip.biz, xoiz.no-ip.biz, waaaw.no-ip.info using firefox.exe or iexplore.exe.
Creates Mutex:Bif1234, Spy-Net, )!VoqA.I4.
Some variants are crypted using HackGroundCrypter which is commercially available and on execution it opens up window of the application that has been crypted.
	for eg:notepad.exe or calc.exe
Also has activity of keylogging and records in .dat file in bifrost folder.
Other variants keeps executable file as unicode and therefore the name suffixes as Zmunik.(MZ which is dos header here is read reversily and can be found in the unicode field as hexadecimal equivalent-4D 5A).

[SYMPTOMS]
Opens your browser and connects to unknown website without user knowledge or executes the crypted file.
Copies itself to the location %ProgramFiles%\Bifrost as server.exe, java.exe, or cmd.exe.
Keylogging can be seen in the .dat file in location %ProgramFiles%\Bifrost.

[DISINFECTION]
Manual Removal Instructions:
Delete the following files:
	%ProgramFiles%\Bifrost\llog.dat
	%ProgramFiles%\Bifrost\server.exe
Delete the following Registry key values:
	HKLM\SOFTWARE\Bifrost\nck: ED 1B E6 27 B9 28 D6 32 74 C3 CD 74 FA 93 5B 67
	HKCU\Software\Bifrost\klg: 01
Restart the System.