Troj/Iyus-I

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
rvf
<Windows folder>\x~v\url_mon32.exe

and delete it if it exists.

Close the registry editor.

Troj/Iyus-I is a password-stealing Trojan.

Troj/Iyus-I copies itself to a subfolder of the Windows system folder called x~v as url_mon32.exe.

Troj/Iyus-I drops a file named um.dll in the same folder as itself and a file named iehelper.dll in the Windows system folder. The DLLs monitor user activity, logging keystrokes and data transfer in files named *.log.

Troj/Iyus-I runs in the background as a service process and periodically collates the gathered information then sends it to a remote location by FTP.

Troj/Iyus-I then sets the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
rvf
<Windows folder>\x~v\url_mon32.exe

Troj/Iyus-I attempts to terminate the following security and anti-virus related processes:

'_AVP32.EXE'
'_AVPCC.EXE'
'_AVPM.EXE'
'ACKWIN32.EXE'
'ALG.EXE'
'ANTI-TROJAN.EXE'
'APVXDWIN.EXE'
'ARMOR2NET.EXE'
'AUTODOWN.EXE'
'AVCONSOL.EXE'
'AVE32.EXE'
'AVGCTRL.EXE'
'AVKSERV.EXE'
'AVNT.EXE'
'AVP.EXE'
'AVP32.EXE'
'AVPCC.EXE'
'AVPDOS32.EXE'
'AVPM.EXE'
'AVPTC32.EXE'
'AVPUPD.EXE'
'AVSCHED32.EXE'
'AVWIN95.EXE'
'AVWUPD32.EXE'
'BLACKD.EXE'
'BLACKICE.EXE'
'CFIADMIN.EXE'
'CFIAUDIT.EXE'
'CFINET.EXE'
'CFINET32.EXE'
'CLAW95.EXE'
'CLAW95CF.EXE'
'CLEANER.EXE'
'CLEANER3.EXE'
'DVP95.EXE'
'ECENGINE.EXE'
'ESAFE.EXE'
'ESPWATCH.EXE'
'F-AGNT95.EXE'
'F-PROT.EXE'
'F-PROT95.EXE'
'F-STOPW.EXE'
'FINDVIRU.EXE'
'FP-WIN.EXE'
'FPROT.EXE'
'FRW.EXE'
'IAMAPP.EXE'
'IAMSERV.EXE'
'IBMASN.EXE'
'IBMAVSP.EXE'
'ICLOAD95.EXE'
'ICLOADNT.EXE'
'ICMON.EXE'
'ICSUPP95.EXE'
'ICSUPPNT.EXE'
'IFACE.EXE'
'IOMON98.EXE'
'JEDI.EXE'
'LOCKDOWN2000.EXE'
'LOOKOUT.EXE'
'LUALL.EXE'
'MOOLIVE.EXE'
'MPFTRAY.EXE'
'N32SCANW.EXE'
'NAVAPW32.EXE'
'NAVLU32.EXE'
'NAVNT.EXE'
'NAVW32.EXE'
'NAVWNT.EXE'
'NISUM.EXE'
'NMAIN.EXE'
'NORMIST.EXE'
'NPROTECT.EXE'
'NUPGRADE.EXE'
'NVC95.EXE'
'NVSVC32.EXE'
'OUTPOST.EXE'
'PADMIN.EXE'
'PAVCL.EXE'
'PAVSCHED.EXE'
'PAVW.EXE'
'PCCWIN98.EXE'
'PCFWALLICON.EXE'
'PERSFW.EXE'
'RAV7.EXE'
'RAV7WIN.EXE'
'RESCUE.EXE'
'SAFEWEB.EXE'
'SAVSCAN.EXE'
'SCAN32.EXE'
'SCAN95.EXE'
'SCANPM.EXE'
'SCRSCAN.EXE'
'SERV95.EXE'
'SMC.EXE'
'SPHINX.EXE'
'SWEEP95.EXE'
'TBSCAN.EXE'
'TCA.EXE'
'TDS2-NT.EXE'
'VET95.EXE'
'VETTRAY.EXE'
'WEBSCANX.EXE'
'WFINDV32.EXE'
'ZONEALARM.EXE'

The iehelper.dll file is registered as a Browser Helper Object (BHO) and monitors Internet sessions for connections to the following domains:

help.lloydstsb.com
ibank.barclays.co.uk
ibank.cahoot.com
myonlineaccounts2.abbeynational.co.uk
olb2.nationet.com
online.lloydstsb.co.uk
webbank.openplan.co.uk
www.abbey.com
www.cahoot.com
www.ebank.hsbc.co.uk
www.halifax-online.co.uk
www.lloydstsb.co.uk
www.lloydstsb.com
www.nationwide.co.uk
www.natwest.com
www.nwolb.com
www.personal.barclays.co.uk
www.rbs.co.uk
www.rbsdigital.com
www.ukpersonal.hsbc.com
www.woolwich.co.uk

When Troj/Iyus-I determines that a request to any of these sites has been made, the Trojan displays a fake website asking the user to enter account information.