Win32.Myss.J

Alias: Win32/Myss.J.Trojan
Category: Win32
Type: Trojan
Published Date: 11/19/2003
Last Modified: 11/20/2003

CHARACTERISTICS
Win32/Myss.J is an information stealing trojan that was spammed to users inside password-protected compressed files.


Method of Installation

Computer Associates received reports of the trojan on November 19, 2003. It was spammed to users, attached to an e-mail with the following characteristics:

Subject: [No Subject]

Message body:

Hi! As I've promised I'm sending you my photo Use old password: 123

Attachment:

MyProfile.zip

MyProfile.zip is a password-protected zip file that contains an MHTML file, PROFILE.HTML. This file exploits a known security vulnerability, described in MS03-014, to extract and activate the executable, DATING.EXE, which is embedded inside the MHTML file. For more information and a patch to address this issue, please visit Microsoft at: http://www.microsoft.com/technet/security/bulletin/MS03-014.asp.

DATING.EXE is a dropper (13,824 bytes) that creates the following files in the Windows directory:

SYSTEM.EXE - the trojan, 5,120 bytes in size
MSIN32.DLL - keylogger trojan, 3,072 bytes in size.
The dropper also adds the following registry value to run the trojan on Windows startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Online Service = "%Windows%\system.exe"


More: http://www3.ca.com/virusinfo/virus.aspx?ID=37602