Troj/Kelebek-G

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinMsgServices
?.exe

and delete it if it exists.

Close the registry editor.

Troj/Kelebek-G is a backdoor Trojan for the Windows platform.

The Trojan contacts a number of predefined IRC servers and waits for instructions from a remote attacker. Troj/Kelebek-G is a backdoor Trojan for the Windows platform.

The Trojan contacts a number of predefined IRC servers and waits for instructions from a remote attacker.

The Trojan creates the following files in the Windows system folder

asfsip.dll
bnsnbrgndglhrgnsvdm.dll
mirc.ini
myuv.dll
nrdsn.dll
qwssd.dll
remote.ini
servers.ini
svhost.dll
term.dll
truse.dll
vga11k.dll
wdinfo.dll

Svhost.dll is detected as Troj/Flood-I and bnsnbrgndglhrgnsvdm.dll is detected as Troj/Kirsun-A. The other files are detected as Troj/Kelebek-G.

Troj/Kelebek-G also creates the following non-malicious files in the Windows system folder:

?.exe (where ? is ASCII character 255)
bos.txt
channels.txt
general.dll
mtime.dll
my.dll
nrshu.dll
puprn.vbs
timer.txt
colors/e.dll
colors/i.dll
colors/n.dll

These files may be safely deleted.

To ensure that the Trojan is run each time a user logs on it adds the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinMsgServices
?.exe (where ? is ASCII character 255)