Page 2 of 2

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Wed, 06 Apr 2016, 19:26
by Canon_Man
Interesting! The file processed for about 2 minutes and then it began an FTP to your server. The only way I was able to view/find it on the thumb drive was to turn on hidden operating system files. I can't change its attributes.

Moved a compressed, password encrypted (68 Mb approx) copy to MediaFire ZIPPED and psswd encrypted with 7-Zip on Max compression:

http://www.mediafire.com/download/b6it2 ... _-_ejy_.7z

To recap, the Trojan arrived as part of a video clip (target size approximately 209 Mb) received through a trusted torrent site and trusted user file posting. It was supposed to be a TV show video clip but when opened after the download was determined not to be.

The file in the compressed upload to MediaFire is actually all that remains of the original video download after the torrent ended and both Windows Defender and Panda simultaneously detected a) a Trojan - (name now lost when Windows Defender quarantine emptied) and b) an UNKNOWN.EXE was found and Quarantined by Panda.

The remnants of the UNKNOWN folder the Trojan created, and the Folder containing an executable called EJY.EXE (Aprrox 168 Mb) stored in two separate HIDDEN folders in C:\ ProgramData are contained in the uploaded compressed file.

The final step the Trojan took either while the download was completing or when the video was opened was to place EJY.EXE in Startup. The program was found in Task Manager the next morning. It was disabled and a scan performed by Windows Defender, Panda and finally MalwareBytes, ALL of which found nothing.

I do not know what is contained in the file uploaded to MediaFire, or if any part of the Trojan remains. I also do not know if anything else on my PC was altered by the Trojan as none of the current virus software available has been able to detect any further changes to files on my hard drive. I have since increased the change security level to high to alert me of any changes programs may try to make to my PC. Although somewhat inconvenient, it is nonetheless another level of security to prevent intrusion.

Some reading I have done suggests the EJY.EXE is a particularly nasty variant that can not only alter files, but obtain userid and psswd information. While I have not experienced any issues with userid's or psswd's yet, I am currently changing as many as possible.

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Thu, 07 Apr 2016, 09:12
by VirusBuster
We have created the case 04316563 to study this file
We'll keep you updated

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Fri, 08 Apr 2016, 14:31
by VirusBuster
The file is indeed malware and will be detected as Trj/Agent.OOW with the next signature update/synchronization

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Sun, 10 Apr 2016, 02:05
by Canon_Man
VirusBuster wrote:The file is indeed malware and will be detected as Trj/Agent.OOW with the next signature update/synchronization
Will the detection of this Trojan also extend to scanning other files that might have the signature of this Trojan, to determine if it may have modified any of them?

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Thu, 14 Apr 2016, 18:30
by hyperion
Generally yes. If a file has been modified by the trojan, it contains the trojan's patterns so can be detected.

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Thu, 14 Apr 2016, 20:20
by Canon_Man
Thanks for the reply.

Took a safer route and formatted the disk partitions, then reloaded Windows 10 and restored from backup dated just before the Trojan incident.

It's a lot of work to put every App back but since there were traces of something in the registry and the laptop was acting peculiar after several scans with newest definitions it seemed the best approach.

Minimal lost data, thankfully.

Panda's response to this issue was first rate and much appreciated. Good job!

Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Fri, 15 Apr 2016, 12:07
by VirusBuster
ISSUE SOLVED