Virus:Trojan-Downloader.JS.Psyme.gy

Other versions: .am , .bs

Detection added	May 29 2007 13:26 GMT
Update released	May 29 2007 15:53 GMT
Description added	Jun 21 2007
Behavior	TrojanDownloader

Technical details
Payload
Removal instructions

Technical details

This Trojan downloads other programs via the Internet and launches them on the victim machine without the user's knowledge or consent. The Trojan is a Java Script script which is built in to HTML pages. It is 17,002 bytes in size.

Payload

Once launched, the Trojan injects its code into the memory of processes which have the following unique identifiers in the system registry:

{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43c8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44f9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496b-B050-6C07C962476B}

The Trojan then attempts to connect to the Internet and download a file called "file.php" from the following address:

http://my***l.com/file.pho

(At the time of writing, this link was not working.)

This file will be saved to the C: \ root directory as "sys%rnd%.exe (%rnd% is a random four digit number):

c:\sys%rnd%.exe

The downloaded file is then launched for execution.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following file: c:\sys%rnd%.exe
Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).

HOME