The server component (sized around 20–50 kilobytes, depending on variant) is dropped to C:\Program Files\Bifrost\server.exe with default settings and, when running, connects to a predefined IP address on TCP port 81, awaiting commands from the remote user who uses the client component.
TCP connection is encrypted with a password (default: "pass"), but this can be changed as well.
It can be assumed that once all three components are operational, the remote user can execute arbitrary code at will on the compromised machine.
The server components can also be dropped to C:\Windows and file attributes changed to "Read Only" and "Hidden".
Older variants of Bifrost used different ports, e.g. 1971, 1999; had a different payload, e.g. C:\Winnt\system32\system.exe; and/or wrote different Windows registry keys.