From; Sophos Alert System: Name: Troj/Feutel-B Aliases: Backdoor.Win32.Hupigon.j, BackDoor-AWQ.b trojan Type: Trojan Date: 21 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this Trojan from the wild. Information about Troj/Feutel-B can be found at: http://www.sophos.com/virusinfo/analyses/trojfeutelb.html Troj/Feutel-B is a backdoor Trojan for the Windows platform. Troj/Feutel-B connects to the internet and attempts to download configuration files from preconfigured sites. The Trojan installs a keylogging component and opens up a backdoor allowing unauthorised remote access to the infected computer. Troj/Feutel-B moves itself to the Windows folder as "svchost.exe" and creates 2 DLL files named "svchost.dll" and "svchost_hook.dll". The Trojan may create a randomly named file in the Temp folder which is also detected as Troj/Feutel-B. Troj/Feutel-B may create the following registry entry in order to run automatically on computer login: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe svchost.exe On NT-based versions of Windows (NT, 2000, XP) svchost.exe is registered as a service process called Webservice with a displayname of "Webservice" and a start type of automatic so that the Trojan is run automatically on computer login. Registry entries are created under HKLM\SYSTEM\CurrentControlSet\Services\Webservice and HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv Troj/Feutel-B also sets the following registry entry: HKCU\Software\Microsoft\Internet Explorer\Main\ Check_Associations "no" This IDE file also includes detection for: Troj/Small-DQ http://www.sophos.com/virusinfo/analyses/trojsmalldq.html W32/Rbot-YU http://www.sophos.com/virusinfo/analyses/w32rbotyu.html W32/Hwbot-A http://www.sophos.com/virusinfo/analyses/w32hwbota.html Troj/PWSVB-EG http://www.sophos.com/virusinfo/analyses/trojpwsvbeg.html Troj/PcClient-C http://www.sophos.com/virusinfo/analyses/trojpcclientc.html W32/Rbot-YP http://www.sophos.com/virusinfo/analyses/w32rbotyp.html Troj/Vipgsm-AB http://www.sophos.com/virusinfo/analyses/trojvipgsmab.html Download the IDE file from: http://www.sophos.com/downloads/ide/feutel-b.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member