Home / malwarePDF  

TrojanDropper:Win32/Gepys.A


First posted on 11 June 2013.
Source: Microsoft

Aliases :

TrojanDropper:Win32/Gepys.A is also known as Win32/Kryptik.AXYQ (ESET), Troj/Gyepis-A (Sophos), Trojan.Redirect.140 (Dr.Web), Trojan.Win32.ShipUp.fun (Kaspersky), W32/Kryptik.AYUW!tr (other), W32/Zbot.JC.gen!Eldorado (Command), win32/Kryptik.AKVT (Norman).

Explanation :



You may mistakenly download and run TrojanDropper:Win32/Gepys.A, thinking it is an update for Java.

In the wild, we have observed the trojan using the file name java_update<seven random letters>.exe, for example:

  • java_update_ltsxtda.exe
  • java_update_fpwajaa.exe
  • java_update_ztwueca.exe
  • java_update_mygiuaa.exe


When run, the trojan creates a folder called mozilla in the %APPDATA% folder. The trojan then creates a copy of itself in that folder, with the file name <seven random letters>.exe.

The trojan creates a scheduled task by creating the file <seven random letters>.job in the folder %windir%\tasks. This causes the trojan to run when Windows starts.

The trojan also drops the file <seven random letters>.dll, detected as VirTool:Win32/Injector.EE, into the %APPDATA%\mozilla folder. The trojan then modifies the following registry entry so that the DLL file is loaded into every process:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: AppInit_DLLs
With data: %windir%\<seven random letters>.dll

When loaded into a process, the DLL file causes the scheduled task to run, which in turn runs the trojan.

At the time of analysis, we were unable to confirm any further actions taken by the DLL file.



Analysis by Swapnil Bhalode

Last update 11 June 2013

 

TOP