Troj/Iyus-Fam

Please follow the instructions for removing Trojans.

The name Troj/Iyus-Fam is used where a file belongs to a particular family of Trojans, but the variant is not separately identified. Sophos's proactive protection technology will identify such files as a -Fam variant.

1. Ensure that you are using the most recent IDE files, as more precise detection could now be available. If necessary
   • update with the latest IDE files and
   • repeat the scan.
2. Please send us a sample to assist in improving our technology.
3. Use the instructions for removing generically detected files to delete the file from your computer.
4. If you require further assistance with disinfection, contact support.

Troj/Iyus-Fam is a family of keylogging Trojans. Troj/Iyus-Fam is a family of keylogging Trojans.

Members of Troj/Iyus-Fam usually copy themselves either to a subfolder of the Windows system folder or to subfolder of the folder given in the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData,
usually copying itself with a filename consisting of 8 random lowercase characters and an EXE extension. They then set the following registry entry so as to run themselves on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Members of Troj/Iyus-Fam usually set further registry entries with different values at the following registry locations to store data about itself:

HKCU\Software\Microsoft\Windows\CurrentVersion
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Members of Troj/Iyus-Fam sometimes try to set certain other registry entries including the following:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank"
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank"

Members of Troj/Iyus-Fam sometimes try to delete certain registry entries including the following:

HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\NetCheck

Members of Troj/Iyus-Fam sometimes try to delete certain files, sometimes from the folder found at the registry entry

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData.

The files that may be deleted include the following:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IEUpdate.exe
C:\Windows\Start Menu\Programs\Startup\IEUpdate.exe
<AppData Folder>\SVLAUNCH.DLL

Members of Troj/Iyus-Fam usually drop one or two DLL files in the same folder as themselves called, also detected as Troj/Iyus-Fam. These are used to monitorwhether the user accesses certain specific, usually banking-related, websites. They are also often used to log keystrokes and data transfer. This data is logged to files with extensions including PST, HTM, TXT, INI, LOG, F$ and CAB extensions in the same subfolder. Thes log files are usually sent to a remote location by FTP, often combining the data to a single file first.

Members of Troj/Iyus-Fam may create an empty file in the Windows system folder, often with a XXX or LOG extension.

Members of Troj/Iyus-Fam usually attempt to download and execute files from a remote location, often in order to update themselves.

Members of Troj/Iyus-Fam sometimes try to download self-configuration data from a remote server.

Members of Troj/Iyus-Fam often attempt to terminate a large number of processes relating to security and anti-virus products.

Members of Troj/Iyus-Fam usually provide stealthing by way of one of the dropped DLLs in order to make its presence difficult to detect.

Members of Troj/Iyus-Fam often run a HTTP proxy and a SOCKS proxy, allowing a remote user to route web or general-purpose traffic through the infected computer.