Troj/Feutel-P is a backdoor Trojan which allows a remote intruder to gain access and control over the computer. It can provide keylogging functionality and steal other information about the host.
When first run Troj/Feutel-P copies itself to <Windows>\tw725.exe or <Windows>\G_Server.exe and creates the following files:
<Windows>\tw725.dll
<Windows>\uninstal.bat
or
<Windows>\G_Server.DLL
<Windows>\G_Server_Hook.DLL
The file tw725.exe is registered as a new system driver service named "Microsoft Updata ver2005", with a display name of "Microsoft Updata ver2005" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Updata ver2005\
The file G_Server.exe is registered as a new system driver service named "GrayPigeonServer", with a display name of "Gray_Pigeon_Server" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\GrayPigeonServer\
Troj/Feutel-P changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
It may also attempt to modify the host file under <Windows>\system32\drivers\etc\hosts.
Troj/Feutel-P may set the following registry entry:
HKCU\Software\Microsoft\Internet Explorer\Toolbar
Locked
1