Troj/Feutel-H

Aliases	Backdoor.Win32.Hupigon.am BackDoor-CSP
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	9 June 2005 10:04:47 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Feutel-H is a keylogging backdoor Trojan. Troj/Feutel-H runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

On Windows 9x operating systems, when first run Troj/Feutel-H moves itself as a hidden, read-only, system file <Windows>\RasMan.exe and creates the hidden, read-only, system files <Windows>\RasMan.DLL and <Windows>\RasManKey.DLL. These DLL files are detected by Sophos as Troj/Feutel-H.

Troj/Feutel-H also creates the file <System>\COMGP32LOG.dll. This file may be deleted.

The following registry entry is then created to run RasMan.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RasMan.exe
<Windows>\RasMan.exe

On Windows NT based operating systems, Troj/Feutel-H moves itself as a hidden, read-only, system file <Windows>\RasMan.exe and creates the hidden, read-only, system file <Windows>\RasMan.DLL. This file is the same file as <Windows>\RasMan.DLL that was created under Windows 9x operating systems and is detected by Sophos as Troj/Feutel-H.

Troj/Feutel-H then installs itself as a service named RasManager, with a display name of "RasMan.exe". Registry entries will be created under the following branches:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMANAGER

HKLM\SYSTEM\CurrentControlSet\Services\RasManager

In particular, the following registry entry will be set:

HKLM\SYSTEM\CurrentControlSet\Services\RasManager
ImagePath
<Windows>\RasMan.exe

Troj/Feutel-H sets up a keylogging component and a backdoor which allows a remote intruder to control the infected computer.

Troj/Feutel-H contains backdoor functionality that allows a remote user to:

- steal confidential information
- access the computer's file system
- create screen and video captures
- listen in on the infected computer
- download, install and run new software without notification that it is doing so

Troj/Feutel-H changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main
FullScreen
no

HKCU\Software\Microsoft\Internet Explorer\Main
Check_Associations
no

HKCU\Software\Microsoft\Internet Explorer\Toolbar
Locked
00000001

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Feutel-H

Summary

Action

More Information