Troj/Feutel-C

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
G_Server.exe
C:\Windows\G_Server.exe

and delete it if it exists.

Close the registry editor.

Troj/Feutel-C is a backdoor Trojan for the Windows platform.

Troj/Feutel-C copies itself to the Windows folder with the name G_Server.exe . On Windows 9x machines, the Trojan creates the following registry entry in order to be run automatically at logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
G_Server.exe
C:\Windows\G_Server.exe

On Windows NT machines, the Trojan installs itself as a service with the following characteristics:

servicename = GrayPigeonServer
displayname = "Gray_Pigeon_Server"
imagepath = C:\WINDOWS\G_Server.exe

Troj/Feutel-C creates the following three DLL files in the Windows folder, all detected as Troj/Feutel-C:

G_Server.dll
G_ServerKey.dll
G_ServerHook.dll

The Trojan injects code into the Windows explorer process in order to prevent itself from being terminated. This code has functionality to hide files and services associated with the Trojan.

Troj/Feutel-C records keypresses to the file COMGP32LOG.DLL in the Windows system folder.

The Trojan downloads a configuration file from a preconfigured URL. The contents of this file indicate an IP address and TCP port number on which the author is listening. The Trojan then connects to this port and awaits further instructions.