Follow:

You have been re-routed to the TrojanDropper:Win32/Gepys.A write up because TrojanDropper%3aWin32%2fGepys.A has been renamed to TrojanDropper:Win32/Gepys.A
 

TrojanDropper:Win32/Gepys.A


Microsoft security software detects and removes this threat.

TrojanDropper:Win32/Gepys.A is a trojan that pretends to be a Java update.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

If you have this threat detected on your computer, you may have been tricked into downloading a fake Java update. To properly update Java, follow these steps:

  1. Clear the Java cache
  2. Update Java
  3. Remove older versions of Java

Threat behavior

You may mistakenly download and run TrojanDropper:Win32/Gepys.A, thinking it is an update for Java.

In the wild, we have observed the trojan using the file name java_update<seven random letters>.exe, for example:

  • java_update_ltsxtda.exe
  • java_update_fpwajaa.exe
  • java_update_ztwueca.exe
  • java_update_mygiuaa.exe

When run, the trojan creates a folder called mozilla in the %APPDATA% folder. The trojan then creates a copy of itself in that folder, with the file name <seven random letters>.exe.

The trojan creates a scheduled task by creating the file <seven random letters>.job in the folder %windir%\tasks. This causes the trojan to run when Windows starts.

The trojan also drops the file <seven random letters>.dll, detected as VirTool:Win32/Injector.EE, into the %APPDATA%\mozilla folder. The trojan then modifies the following registry entry so that the DLL file is loaded into every process:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: AppInit_DLLs
With data:  %windir%\<seven random letters>.dll

When loaded into a process, the DLL file causes the scheduled task to run, which in turn runs the trojan.

At the time of analysis, we were unable to confirm any further actions taken by the DLL file.

Analysis by Swapnil Bhalode


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
      
    %APPDATA%\mozilla\<seven random letters>.exe
    %APPDATA%\mozilla\<seven random letters>.dll

    %windir%\tasks\<seven random letters>.job 
    java_update<seven random letters>.exe
        
  • The presence of the following registry modifications:
     
    In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Sets value: AppInit_DLLs
    With data:  %windir%\<seven random letters>.dll

Prevention


Alert level: Severe
First detected by definition: 1.147.1411.0
Latest detected by definition: 1.189.2192.0 and higher
First detected on: Apr 09, 2013
This entry was first published on: Apr 09, 2013
This entry was updated on: Jul 29, 2013

This threat is also detected as:
  • Win32/Kryptik.AXYQ (ESET)
  • Troj/Gyepis-A (Sophos)
  • Trojan.Redirect.140 (Dr.Web)
  • Trojan.Win32.ShipUp.fun (Kaspersky)
  • W32/Kryptik.AYUW!tr (other)
  • W32/Zbot.JC.gen!Eldorado (Command)
  • win32/Kryptik.AKVT (Norman)