W32/Injector.FGK!tr

Analysis

W32/Injector.FGK!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Injector.FGK!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• It will inject code into explorer.exe
• Creates mutex named fsmgr in explorer.exe process
• Looks for removable drive
• Changes attribute of C:\RECYCLER to hidden
• Changes attribute of C:\RECYCLER\{SID} to hidden
• Create Desktop.ini under C:\RECYCLER|{SID} with hidden attribute
• Writes shell command to Desktop.ini
• Tries to delete winfixer.exe under folder C:\RECYCLER\{SID}
• Copies itself to the folder C:\RECYCLER\{SID} as winfixer.exe
• Modifies the following registry entry to automatically run during startup:
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Taskman = C:\RECYCLER\{SID}\winfixer.exe
• Attempts to delete the following registry entry:
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • hifaggot
• Tries to delete autorun.ini under C:\
• Creates autorun.inf with hidden attribute under C:\, and the autorun.inf will try to run the winfixer.exe through shell command line
• If the malware finds the removable drive, it will perform the following behaviours:
  • Creates the folder under x:\RECYCLER\{SID} (x:removeable drive)
  • Creates desktop.ini under x:\
  • Copies the file from C:\RECYCLER\{SID}\winfixer.exe to x:\RECYCLER\{SID} as winfixer.exe
  • Creates x:\autorun.inf
  • Sends a message "PRIVMSG #’ 11E: Infected usb drive: x:" out to a server see below
  • Sends a message "rssr daqcpdr aps:daqopdr"
  • Sends a message "rssr ivkhwnu dvv: ivkhwmu"
• The malware attempts to talk to the following server:
  • dc.{removed}.com
  • dc.{removed}.net
  • dc.{removed}.info

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.