high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 3 September 2004 10:18:31 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Psyme-AN is a JavaScript downloader Trojan (usually HTML-based) which exploits the ADODB stream and CODEBASE vulnerabilties associated with certain versions of Microsoft Internet Explorer to silently download a file from a remote website to the affected computer and run it.
When Troj/Psyme-AN is run on Windows 95 or Windows 98 it tries to download and run an executable via the CODEBASE attribute of an object element.
When run on Windows NT, 2000 or XP Troj/Psyme-AN first uses the ADODB Stream exploit to download the remote executable to C:\Program Files\Internet Explorer\<random>.exe where <random> is a random character string consisting of 1-8 random characters (typically 8 characters) within the range A-Z. It then tries to execute the downloaded file via the CODEBASE exploit.
Troj/Psyme-AN can arrive on the computer via HTML pages containing a link to an infected page. For example a HTML page may contain an OBJECT element with a DATA= attribute with a value such as:
<unknown URL>//index.chm::/index.html
where index.chm is a compiled HTML help file containing index.html and index.html is an HTML file containing the Troj/Psyme-AN script.
Troj/Psyme-AN typically tries to download and run a member of the Troj/Padodo-Fam family of proxy and backdoor Trojans. For further information please refer to the Troj/Padodo-Fam description
|
