Troj/Iyus-N

Aliases	BackDoor-CEO Trojan-Dropper.Win32.Joiner.aj
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	21 July 2005 06:04:15 (GMT)
Last updated	11 October 2005 09:25:52 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Iyus-N is a downloader Trojan.

Troj/Iyus-N attempts to disable anti-virus and other security software and hide warning messages from the user. Troj/Iyus-N is a downloader Trojan.

Troj/Iyus-N may arrive as a CAB archive containing two files, setting.inf (detected as Troj/Iyus-G) and install.exe.

When install.exe is run it creates files named loader.exe and refresh.html in the user's temp folder. Refresh.html is a harmless web page and may be safely deleted. Loader.exe is a component of Troj/Iyus-N.

Loader.exe drops a file named javavm1.dll in the Windows system folder and registers it with the operating system, creating registry entries under the following locations :

HKCR\CLSID\{DE23A040-D6AA-43ca-9B86-D9BE3DAA6FE7}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

Javavm1.dll attempts to download and run a file from a preconfigured website.

Both the loader.exe and javavm1.dll components of the Trojan attempt to disable a number of anti-virus and security related software by the following means:

Deleting the following registry entries :

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Advanced Tools Check

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gcasServ

Deleting all files from the following folders :

C:\Program Files\Common Files\Network Associates\
C:\Program Files\Common Files\Symantec Shared\
C:\Program Files\Kaspersky Lab\
C:\Program Files\McAfee\
C:\Program Files\Microsoft AntiSpyware\
C:\Program Files\Norton Antivirus\

Terminating the following processes :

ALOGSERV.EXE
AVCONSOL.EXE
AVSYNMGR.EXE
CCAPP.EXE
CCEVTMGR.EXE
CCSETMGR.EXE
FRAMEWORKSERVICE.EXE
GCASCLEANER
GCASDTSERV
GCASINSTALLHELPER
GCASNOTICE
GCASSERV
GCASSERVALERT
GCASSWUPDATER
GCIPTOHOSTQUEUE
GIANTANTISPYWAREMAIN
GIANTANTISPYWAREUPDATER
KAV.EXE
KAVSEND.EXE
KAVSVC.EXE
MCSHIELD.EXE
NAPRDMGR.EXE
NAVAPSVC.EXE
NMAIN.EXE
OUTPOST.EXE
QCLEAN.EXE
RULAUNCH.EXE
SAVSCAN.EXE
SHSTAT.EXE
SYMLCSVC.EXE
TBMON.EXE
VSHWIN32.EXE
VSMAIN.EXE
VSSTAT.EXE
VSTSKMGR.EXE

The javavm1.dll component also monitors warning messages and hides messages with the following titles from the user :

Allow all activities for this application
Hidden Process Requests Network Access
Warning: Components Have Changed
Warning: some components changed
Windows Security Alert

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Iyus-N

Summary

Action

More Information