[SOLVED] [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Container for RESOLVED incidents, queries SOLVED by the experts, EXPIRED topics or those that have been CLOSED by the users.
Canon_Man
Registered user
Registered user
Posts: 34
Joined: Sat, 19 Dec 2015, 17:26

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Post by Canon_Man » Wed, 06 Apr 2016, 19:26

Interesting! The file processed for about 2 minutes and then it began an FTP to your server. The only way I was able to view/find it on the thumb drive was to turn on hidden operating system files. I can't change its attributes.

Moved a compressed, password encrypted (68 Mb approx) copy to MediaFire ZIPPED and psswd encrypted with 7-Zip on Max compression:

http://www.mediafire.com/download/b6it2 ... _-_ejy_.7z

To recap, the Trojan arrived as part of a video clip (target size approximately 209 Mb) received through a trusted torrent site and trusted user file posting. It was supposed to be a TV show video clip but when opened after the download was determined not to be.

The file in the compressed upload to MediaFire is actually all that remains of the original video download after the torrent ended and both Windows Defender and Panda simultaneously detected a) a Trojan - (name now lost when Windows Defender quarantine emptied) and b) an UNKNOWN.EXE was found and Quarantined by Panda.

The remnants of the UNKNOWN folder the Trojan created, and the Folder containing an executable called EJY.EXE (Aprrox 168 Mb) stored in two separate HIDDEN folders in C:\ ProgramData are contained in the uploaded compressed file.

The final step the Trojan took either while the download was completing or when the video was opened was to place EJY.EXE in Startup. The program was found in Task Manager the next morning. It was disabled and a scan performed by Windows Defender, Panda and finally MalwareBytes, ALL of which found nothing.

I do not know what is contained in the file uploaded to MediaFire, or if any part of the Trojan remains. I also do not know if anything else on my PC was altered by the Trojan as none of the current virus software available has been able to detect any further changes to files on my hard drive. I have since increased the change security level to high to alert me of any changes programs may try to make to my PC. Although somewhat inconvenient, it is nonetheless another level of security to prevent intrusion.

Some reading I have done suggests the EJY.EXE is a particularly nasty variant that can not only alter files, but obtain userid and psswd information. While I have not experienced any issues with userid's or psswd's yet, I am currently changing as many as possible.

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Post by VirusBuster » Thu, 07 Apr 2016, 09:12

We have created the case 04316563 to study this file
We'll keep you updated
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Post by VirusBuster » Fri, 08 Apr 2016, 14:31

The file is indeed malware and will be detected as Trj/Agent.OOW with the next signature update/synchronization
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

Canon_Man
Registered user
Registered user
Posts: 34
Joined: Sat, 19 Dec 2015, 17:26

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Post by Canon_Man » Sun, 10 Apr 2016, 02:05

VirusBuster wrote:The file is indeed malware and will be detected as Trj/Agent.OOW with the next signature update/synchronization
Will the detection of this Trojan also extend to scanning other files that might have the signature of this Trojan, to determine if it may have modified any of them?

User avatar
hyperion
Registered user
Registered user
Posts: 31
Joined: Wed, 11 Nov 2015, 15:32
Location: Italy

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Post by hyperion » Thu, 14 Apr 2016, 18:30

Generally yes. If a file has been modified by the trojan, it contains the trojan's patterns so can be detected.
Sysadmin, IT Security Consultant, Malware Hunter

Canon_Man
Registered user
Registered user
Posts: 34
Joined: Sat, 19 Dec 2015, 17:26

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Post by Canon_Man » Thu, 14 Apr 2016, 20:20

Thanks for the reply.

Took a safer route and formatted the disk partitions, then reloaded Windows 10 and restored from backup dated just before the Trojan incident.

It's a lot of work to put every App back but since there were traces of something in the registry and the laptop was acting peculiar after several scans with newest definitions it seemed the best approach.

Minimal lost data, thankfully.

Panda's response to this issue was first rate and much appreciated. Good job!

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Post by VirusBuster » Fri, 15 Apr 2016, 12:07

ISSUE SOLVED
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

Locked

Return to “Virus - Archive Issues”