MSIL/Injector.FPV!tr
Analysis
MSIL/Injector.FPV!tr is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as MSIL/Injector.FPV!tr may have varying behavior.
Below are examples of some of these behaviors.
- Copies itself to the System folder as compmasf.exe.
- Adds the following registry to enable its automatic execution:
- key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: cliccdll
- data: undefinedSystemundefined\compmasf.exe
- Attempts to connect to the following HTTP server to acquire malicious commands:
- gol{Removed}uz.com
- The malware acquires commands from the above server, executes them, and sends a report through PHP pages with randomized names that are on the malware server. Below are examples of the names of these PHP pages:
- tbdvtu.php
- dkija.php
- taymrniya.php
- dskjyykhe.php
- The original copy of the malware is deleted after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |