Threat behavior
TrojanDownloader:JS/Psyme.MR is a detection for script that attempts to use a certain exploit to download and run other malware.
Installation
This trojan script may be encountered when browsing a Web site that was compromised and modified to host the script usually within an IFrame. When the script runs, it attempts to exploit a vulnerability in Yahoo! Messenger that allows the execution of arbitrary code.
The exploit is known as the "
CYFT FT60.DLL ActiveX Control GetFile vulnerability". This vulnerability is also referenced by Common Vulnerabilities and Exposures ID
CVE-2007-5017.
Payload
Downloads arbitrary files
TrojanDownloader:JS/Psyme.MR attempts to request a randomly named file from the domain "bunburyymas.com" and save it locally as "c:\mosvs8.exe". The retrieved file is then executed.
Analysis by Vincent Tiu
Prevention
