Interesting! The file processed for about 2 minutes and then it began an FTP to your server. The only way I was able to view/find it on the thumb drive was to turn on hidden operating system files. I can't change its attributes.
Moved a compressed, password encrypted (68 Mb approx) copy to MediaFire ZIPPED and psswd encrypted with 7-Zip on Max compression:
http://www.mediafire.com/download/b6it2 ... _-_ejy_.7z
To recap, the Trojan arrived as part of a video clip (target size approximately 209 Mb) received through a trusted torrent site and trusted user file posting. It was supposed to be a TV show video clip but when opened after the download was determined not to be.
The file in the compressed upload to MediaFire is actually all that remains of the original video download after the torrent ended and both Windows Defender and Panda simultaneously detected a) a Trojan - (name now lost when Windows Defender quarantine emptied) and b) an UNKNOWN.EXE was found and Quarantined by Panda.
The remnants of the UNKNOWN folder the Trojan created, and the Folder containing an executable called EJY.EXE (Aprrox 168 Mb) stored in two separate HIDDEN folders in C:\ ProgramData are contained in the uploaded compressed file.
The final step the Trojan took either while the download was completing or when the video was opened was to place EJY.EXE in Startup. The program was found in Task Manager the next morning. It was disabled and a scan performed by Windows Defender, Panda and finally MalwareBytes, ALL of which found nothing.
I do not know what is contained in the file uploaded to MediaFire, or if any part of the Trojan remains. I also do not know if anything else on my PC was altered by the Trojan as none of the current virus software available has been able to detect any further changes to files on my hard drive. I have since increased the change security level to high to alert me of any changes programs may try to make to my PC. Although somewhat inconvenient, it is nonetheless another level of security to prevent intrusion.
Some reading I have done suggests the EJY.EXE is a particularly nasty variant that can not only alter files, but obtain userid and psswd information. While I have not experienced any issues with userid's or psswd's yet, I am currently changing as many as possible.
[SOLVED] [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?
- VirusBuster
- Official moderator
- Posts: 7595
- Joined: Mon, 02 Apr 2012, 18:53
- Location: Panda HQ - Bilbao
Re: Is EJY.EXE a threat, or an actual MicroSoft Program?
We have created the case 04316563 to study this file
We'll keep you updated
We'll keep you updated
Regards,
Jorge Torre
TechSupport Department - Panda Security
I don't reply to private messages unless I have previously requested them
Jorge Torre
TechSupport Department - Panda Security
I don't reply to private messages unless I have previously requested them
- VirusBuster
- Official moderator
- Posts: 7595
- Joined: Mon, 02 Apr 2012, 18:53
- Location: Panda HQ - Bilbao
Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?
The file is indeed malware and will be detected as Trj/Agent.OOW with the next signature update/synchronization
Regards,
Jorge Torre
TechSupport Department - Panda Security
I don't reply to private messages unless I have previously requested them
Jorge Torre
TechSupport Department - Panda Security
I don't reply to private messages unless I have previously requested them
Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?
Will the detection of this Trojan also extend to scanning other files that might have the signature of this Trojan, to determine if it may have modified any of them?VirusBuster wrote:The file is indeed malware and will be detected as Trj/Agent.OOW with the next signature update/synchronization
Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?
Generally yes. If a file has been modified by the trojan, it contains the trojan's patterns so can be detected.
Sysadmin, IT Security Consultant, Malware Hunter
Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?
Thanks for the reply.
Took a safer route and formatted the disk partitions, then reloaded Windows 10 and restored from backup dated just before the Trojan incident.
It's a lot of work to put every App back but since there were traces of something in the registry and the laptop was acting peculiar after several scans with newest definitions it seemed the best approach.
Minimal lost data, thankfully.
Panda's response to this issue was first rate and much appreciated. Good job!
Took a safer route and formatted the disk partitions, then reloaded Windows 10 and restored from backup dated just before the Trojan incident.
It's a lot of work to put every App back but since there were traces of something in the registry and the laptop was acting peculiar after several scans with newest definitions it seemed the best approach.
Minimal lost data, thankfully.
Panda's response to this issue was first rate and much appreciated. Good job!
- VirusBuster
- Official moderator
- Posts: 7595
- Joined: Mon, 02 Apr 2012, 18:53
- Location: Panda HQ - Bilbao
Re: [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?
ISSUE SOLVED
Regards,
Jorge Torre
TechSupport Department - Panda Security
I don't reply to private messages unless I have previously requested them
Jorge Torre
TechSupport Department - Panda Security
I don't reply to private messages unless I have previously requested them