A computer that is infected by this backdoor shows the following symptoms.

• Presence of the iexplore.exe process in Task Manager. This process has a hidden window.


• Presence of the following registry keys.




• HKEY_CURRENT_USER\SOFTWARE\nck


• HKEY_CURRENT_USER\SOFTWARE\klg


• HKEY_CURRENT_USER\SOFTWARE\delay

The backdoor hides itself by injecting malicious code into the memory space of the iexplore.exe process and then by killing its own process. It looks for the presence of security-related processes, such as cpf.exe, umxtray.exe, kav.exe, and kavsvc.exe, and deletes registry entries related to them.

This backdoor provides an attacker with unauthorized remote access to the infected computer. It allows the attacker to retrieve information regarding the computer, such as the location of special folders, the layout of the keyboard, the window that the user is currently working on, and the list of recently installed applications. It sends this information to a remote server, which is the Bifrost Remote Controller. Based on this information, an attacker can gain control over the infected computer from the server and execute commands, such as init, f1, f2, eplgn, gen, and gs. In addition, the attacker can run Tor commands, such as tor, torInit, torConnect, torRead, torWrite on the computer to hide the traces of the remote addresses visited by the backdoor and prevent its detection by network surveillance software.

Note: These commands will execute if Tor has been previously installed on the computer.

The backdoor also acts as a keylogger. It steals sensitive information, such as passwords, login names, and identity details by recording the user`s keystrokes on the infected computer.

To remove the backdoor, please follow any of these methods.

The latest antivirus update of ‘e Scan removes the backdoor from your computer. Ensure that your computer is connected to the Internet. On the taskbar, in the notification area, right-click the red ‘e Scan icon, and then click Update now. The latest updates will be downloaded on your computer. You can then scan your computer to remove the backdoor.

Download the free MicroWorld Antivirus toolkit (MWAV toolkit), and then run it on your computer. This toolkit checks your computer, system registry, and running processes for malicious programs, illegal dialers, or sniffer tools and then detects them.

You can download the MWAV toolkit from the MicroWorld Web site.

MicroWorld’s ‘e Scan Internet Security Suite (ISS) product has a real-time monitor that detects malicious code in the system registry and running processes.

To download and install this product, click here.