From; Sophos Alert System: Name: Troj/Iyus-A Type: Trojan Date: 19 May 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the July 2004 (3.83) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this Trojan from the wild. Information about Troj/Iyus-A can be found at: http://www.sophos.com/virusinfo/analyses/trojiyusa.html Description Troj/Iyus-A is a password-stealing Trojan. Troj/Iyus-A copies itself either to a subfolder of the Windows system folder called IYUS or to a subfolder of the folder given in the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ Shell Folders\AppData called Microsoft\IYUS, copying itself with a filename consisting of eight random lowercase characters and an EXE extension. Troj/Iyus-A then sets the following registry entry so as to run itself on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iyus Troj/Iyus-A drops a file in the same folder as itself called IYUS.DLL, also detected as Troj/Iyus-A, which monitors whether the user accesses certain specific websites. In particular the DLL monitors access to a large number of banking-related websites, logging keystrokes and data transfer to files with a PST or HTM extension, as well as one called HTM.TXT, to this same IYUS subfolder. Troj/Iyus-A runs in the background as a service process and periodically collates the gathered information to a file called RESF.INI and then sends it to a remote location by FTP. RESF.INI contains the following sections, relating to information gathered from the corresponding banking websites: cbonline barclays halifax natwest hsbc lloydstsb westpac netpay cahoot hsbcau evocash egold bullion bankcardservices anz abbey Troj/Iyus-A sets the following time-related registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\iyus Troj/Iyus-A also sets the following registry entry when it attempts an FTP upload: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\iyus Troj/Iyus-A may create an empty file in the Windows system folder called XTEMPXXX.XXX. Troj/Iyus-A may download and run a file from a remote location, currently detected as Troj/Iyus-E. Troj/Iyus-A attempts to terminate a large number of processes relating to security and anti-virus products. Troj/Iyus-A also provides stealthing by way of the dropped DLL in order to make its presence difficult to detect. This IDE file also includes detection for: Troj/Iyus-B http://www.sophos.com/virusinfo/analyses/trojiyusb.html Troj/Iyus-C http://www.sophos.com/virusinfo/analyses/trojiyusc.html Troj/Iyus-D http://www.sophos.com/virusinfo/analyses/trojiyusd.html Troj/Iyus-E http://www.sophos.com/virusinfo/analyses/trojiyuse.html W32/Spybot-CB http://www.sophos.com/virusinfo/analyses/w32spybotcb.html W32/Sdbot-MS http://www.sophos.com/virusinfo/analyses/w32sdbotms.html W32/Sdbot-MA http://www.sophos.com/virusinfo/analyses/w32sdbotma.html W95/Primat-A http://www.sophos.com/virusinfo/analyses/w95primata.html W32/Agobot-IV http://www.sophos.com/virusinfo/analyses/w32agobotiv.html Download the IDE file from: http://www.sophos.com/downloads/ide/iyus-a.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member