Virus

MSIL/Injector.FPV!tr

Analysis


MSIL/Injector.FPV!tr is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as MSIL/Injector.FPV!tr may have varying behavior.
Below are examples of some of these behaviors.

  • Copies itself to the System folder as compmasf.exe.

  • Adds the following registry to enable its automatic execution:
    • key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: cliccdll
    • data: undefinedSystemundefined\compmasf.exe

  • Attempts to connect to the following HTTP server to acquire malicious commands:
    • gol{Removed}uz.com

  • The malware acquires commands from the above server, executes them, and sends a report through PHP pages with randomized names that are on the malware server. Below are examples of the names of these PHP pages:
    • tbdvtu.php
    • dkija.php
    • taymrniya.php
    • dskjyykhe.php

  • The original copy of the malware is deleted after execution.

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.