TrojanDropper:Win32/Gepys.A is a trojan that pretends to be a Java update.
What to do now
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
You may mistakenly download and run TrojanDropper:Win32/Gepys.A, thinking it is an update for Java.
In the wild, we have observed the trojan using the file name java_update<seven random letters>.exe, for example:
When run, the trojan creates a folder called mozillain the %APPDATA% folder. The trojan then creates a copy of itself in that folder, with the file name <seven random letters>.exe.
The trojan creates a scheduled task by creating the file <seven random letters>.job in the folder %windir%\tasks. This causes the trojan to run when Windows starts.
The trojan also drops the file <seven random letters>.dll, detected as VirTool:Win32/Injector.EE, into the %APPDATA%\mozillafolder. The trojan then modifies the following registry entry so that the DLL file is loaded into every process:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows Sets value: AppInit_DLLs With data: %windir%\<seven random letters>.dll
When loaded into a process, the DLL file causes the scheduled task to run, which in turn runs the trojan.
At the time of analysis, we were unable to confirm any further actions taken by the DLL file.