W32/Injector.FGK!tr
Analysis
W32/Injector.FGK!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as W32/Injector.FGK!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- It will inject code into explorer.exe
- Creates mutex named fsmgr in explorer.exe process
- Looks for removable drive
- Changes attribute of C:\RECYCLER to hidden
- Changes attribute of C:\RECYCLER\{SID} to hidden
- Create Desktop.ini under C:\RECYCLER|{SID} with hidden attribute
- Writes shell command to Desktop.ini
- Tries to delete winfixer.exe under folder C:\RECYCLER\{SID}
- Copies itself to the folder C:\RECYCLER\{SID} as winfixer.exe
- Modifies the following registry entry to automatically run during startup:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Taskman = C:\RECYCLER\{SID}\winfixer.exe
- Attempts to delete the following registry entry:
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- hifaggot
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- Tries to delete autorun.ini under C:\
- Creates autorun.inf with hidden attribute under C:\, and the autorun.inf will try to run the winfixer.exe through shell command line
- If the malware finds the removable drive, it will perform the following behaviours:
- Creates the folder under x:\RECYCLER\{SID} (x:removeable drive)
- Creates desktop.ini under x:\
- Copies the file from C:\RECYCLER\{SID}\winfixer.exe to x:\RECYCLER\{SID} as winfixer.exe
- Creates x:\autorun.inf
- Sends a message "PRIVMSG #’ 11E: Infected usb drive: x:" out to a server see below
- Sends a message "rssr daqcpdr aps:daqopdr"
- Sends a message "rssr ivkhwnu dvv: ivkhwmu"
- The malware attempts to talk to the following server:
- dc.{removed}.com
- dc.{removed}.net
- dc.{removed}.info
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |