NOTE: This Advisory is in reaction to reports from the Press.

This threat was directed at home users, and since the file containing the Trojan is no longer posted on the Internet, this is no longer a threat. The following has been derived from information provided by Symantec, CNN.COM, NETSEC and ABC News.

Virus Characteristics

This Trojan is transported within a legitimate executable attachment or downloadable file that contains a compressed, malicious executable (mysissy.mpeg.exe). The compression is designed to prevent detection of the malicious code by virus scanning software. When the user attempts to execute the legitimate file, the malicious executable decompresses and installs itself on the hard drive, typically in the top level of the Windows directory (c:\windows\). Upon reboot, the malicious code loads itself into the system, renames itself by assigning a randomly generated name, modifies the system.ini, win.ini and the Windows Registry, and installs a service that makes an outbound connection to one of two modified Internet Relay Chat (IRC) servers. The Trojan establishes the outbound connection over random ports on the infected machine while attempting to connect to well known ports on the IRC Servers (6669, 2221, 2222, 7000). Once established, the Trojan passes the compromised computer's IP Address, and then opens a random listening port on the compromised machine by which an adversary can connect back into the machine.

Upon examination of the IRC servers, they appear to maintain a list of all infected machines that are currently connected to the Internet. Since each Trojan .exe file requires specific information to be embedded into its code to connect back to its IRC server, there are as many variations of the .exe file as there are IRC servers (two discovered and validated at this time).

The malicious code contains the Sub-Seven Trojan along with other programs, (e.g. scanner, ftp and IRC). These files may allow an adversary to gain complete control of the compromised machine. Once running on the infected machine, the executable is not displayed in the process table / task manager and cannot be killed or deleted by normal operations.

Characteristics of Executable:

- exe file usually located in the c:\windows directory
- File has a .avi (video) Icon
- File size is approximately 373 kb
- Random character file name usually in all capital letters


Removal of the Trojan

Conduct a find for all exe files on your Windows computer (particularly the c:\Windows directory), that match the characteristics noted above.
Search the hard drive for a .exe file with a random seven to eight character name. The file typically installs itself in /Windows directory.
View the system.ini file for a shell=Explorer.exe Trojan.exe.
View the win.ini file for a run=Trojan.exe.
Search the Registry for the Trojan, one confirmed location is:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer


Additional Details

This Trojan horse was originally posted to an adult Internet newsgroup on June 7, 2000. It was described as an adult movie file. However, it actually attempts to download the file http://www.lomag.net/~ryan1918/MySissy.mpg.exe from the Internet and launch it after it has been downloaded. It performs no other actions.