Troj/Iyus-H is an information stealing Trojan on the Windows platform.
When run the Trojan attempts to copy itself to the file %SYSTEM%\msgina\wuauclt2.exe and then creates the following registry entry so as to run itself on computer logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msgina
%SYSTEM%\msgina\wuauclt2.exe
Troj/Iyus-H also tries to delete files obtained from the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
The Trojan attempts to steal data and puts the information into the file
%SYSTEM%\msgina\id.txt
Troj/Iyus-H also tries to download data from a remote website and store it as %SYSTEM%\msgina\flagdata.txt.
The files flagdata.txt and id.txt are non-viral and can be safely deleted.
Once installed the Trojan attempts to download and execute files from the internet, terminate a large number of processes relating to security and anti-virus products and set up a HTTP proxy allowing a remote user to route web traffic through the infected computer.
Troj/Iyus-H also creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
msginaidnt
<random character string>'
The Trojan also drops the DLL file msgina32.dll in the Windows system folder. This dropped DLL provides Troj/Iyus-H with stealthing capabilities in order to make its presence difficult to detect.