[virusinfo] Troj/Iyus-A

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 19 May 2004 08:17:00 -0700

From; Sophos Alert System:

Name: Troj/Iyus-A
Type: Trojan
Date: 19 May 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the July 2004 (3.83) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.


At the time of writing, Sophos has received just one report of
this Trojan from the wild.


Information about Troj/Iyus-A can be found at:
http://www.sophos.com/virusinfo/analyses/trojiyusa.html
Description 
Troj/Iyus-A is a password-stealing Trojan. 
Troj/Iyus-A copies itself either to a subfolder of the Windows system folder
called IYUS or to a subfolder of the folder given in the registry entry 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Shell Folders\AppData 

called Microsoft\IYUS, copying itself with a filename consisting of eight
random
lowercase characters and an EXE extension. Troj/Iyus-A then sets the
following
registry entry so as to run itself on system startup: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iyus 

Troj/Iyus-A drops a file in the same folder as itself called IYUS.DLL, also
detected as Troj/Iyus-A, which monitors whether the user accesses certain
specific websites. In particular the DLL monitors access to a large number
of banking-related websites, logging keystrokes and data transfer to files
with a PST or HTM extension, as well as one called HTM.TXT, to this same
IYUS subfolder. 

Troj/Iyus-A runs in the background as a service process and periodically
collates the gathered information to a file called RESF.INI and then sends
it to a remote location by FTP. RESF.INI contains the following sections,
relating to information gathered from the corresponding banking websites: 

cbonline
barclays
halifax
natwest
hsbc
lloydstsb
westpac
netpay
cahoot
hsbcau
evocash
egold
bullion
bankcardservices
anz
abbey 

Troj/Iyus-A sets the following time-related registry entry: 

HKCU\Software\Microsoft\Windows\CurrentVersion\iyus 

Troj/Iyus-A also sets the following registry entry when it attempts an FTP
upload: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\iyus 

Troj/Iyus-A may create an empty file in the Windows system folder called
XTEMPXXX.XXX. 

Troj/Iyus-A may download and run a file from a remote location, currently
detected as Troj/Iyus-E. 

Troj/Iyus-A attempts to terminate a large number of processes relating to
security and anti-virus products. 

Troj/Iyus-A also provides stealthing by way of the dropped DLL in order to
make
its presence difficult to detect. 
 
 

This IDE file also includes detection for:

Troj/Iyus-B
http://www.sophos.com/virusinfo/analyses/trojiyusb.html
Troj/Iyus-C
http://www.sophos.com/virusinfo/analyses/trojiyusc.html
Troj/Iyus-D
http://www.sophos.com/virusinfo/analyses/trojiyusd.html
Troj/Iyus-E
http://www.sophos.com/virusinfo/analyses/trojiyuse.html
W32/Spybot-CB
http://www.sophos.com/virusinfo/analyses/w32spybotcb.html
W32/Sdbot-MS
http://www.sophos.com/virusinfo/analyses/w32sdbotms.html
W32/Sdbot-MA
http://www.sophos.com/virusinfo/analyses/w32sdbotma.html
W95/Primat-A
http://www.sophos.com/virusinfo/analyses/w95primata.html
W32/Agobot-IV
http://www.sophos.com/virusinfo/analyses/w32agobotiv.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/iyus-a.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Troj/Iyus-A

1. Home
2. virusinfo
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---