W32/Injector.HLL!tr
Analysis
W32/Injector.HLL!tr is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as W32/Injector.HLL!tr may have varying behavior.
Below are examples of some of these behaviors:
- It deletes itself from current folder.
- One of the following files exists:
- undefinedSystemundefined\igfxhs32.exe
- undefinedUserProfileundefined\igfxhs32.exe
- If any of the following conditions are satisfied, the malware process terminates:
- The pathname of the current process contains any of the following strings:
- sample
- virus
- sand-box
- sandbox
- test
- The computer or user name contains any of the following strings:
- VMG-CLIENT
- MORTE
- Malekal
- HOME-OFF-D5F0AC
- DELL-D3E62F7E26
- KAKAPROU-6405DA
- The data in the registry entry HKLM\SYSTEM\ControlSet001\Services\Disk\Enum\0 contains any of the following strings:
- VMware
- VBox
- Virtual
- QEMU
- Any of the following processes is active:
- port
- vbox
- vmsrvc
- vmware
- sandbox
- tcpview
- wireshark.exe
- regshot.exe
- procmon.exe
- filemon.exe
- procmon.exe
- regmon.exe
- procdump.exe
- cports.exe
- procexp.exe
- squid.exe
- dumpcap.exe
- An open window has any of the following ClassName, WindowName pairs:
- gdkWindowToplevel, The Wireshark Network Analyzer
- CNetmonMainFrame, Microsoft Network Monitor 3.3
- SmartSniff, SmartSniff
- CurrPorts,CurrPorts
- TCPViewClass, 0
- PROCMON_WINDOW_CLASS, Process Monitor - Sysinternals: www.sysinternals.com
- #32770, Regshot 1.8.2
- PROCEXPL, 0
- Any of the following files exist in the undefinedProgramFilesundefined folder:
- \WinPcap\rpcapd.exe
- \WireShark\rawshark.exe
- \Ethereal\ethereal.html
- \Microsoft Network Monitor 3\netmon.exe
- The pathname of the current process contains any of the following strings:
- It uses the following mutexes:
- V8x
- muipcdraotse
- It terminates the following processes:
- MBAMGUI.EXE
- COMBOFIX.EXE
- CATCHME.EXE
- TEATIMER.EXE
- MRT.EXE
- MRTSTUB.EXE
- MSMPENG.EXE
- MSASCUI.EXE
- MPCMDRUN.EXE
- USBGUARD.EXE
- BILLY.EXE
- It terminates the process whose pathname contains any of the following strings:
- temp
- recycler
- drive32.exe
- msvmiode.exe
- rvhost.exe
- wudfhost.exe
- svchos.exe
- servicers.exe
- uninstall_.exe
- undmgr.exe
- chgservice.exe
- usbmngr.exe
- serivces.exe
- cmmon32.exe
- It stops the following services:
- CSIScanner
- K7RTScan
- K7TSMngr
- DrWebEngine
- SPIDERNT
- DrWebCom
- avast! Antivirus
- avast! Firewall
- AntiVirService
- VSSERV
- avgfws
- avgwd
- avg8wd
- avg9wd
- NOD32krn
- ekrn
- mcmscsvc
- McShield
- MSK80Service
- McNASvc
- MpfService
- McODS
- MpfService
- McSysmon
- SmcService
- Symantec AntiVirus
- Norton Antivirus Server
- MBAMProtector
- MBAMService
- WebrootSpySweeperService
- WRConsumerService
- Amsp
- SAVService
- SAVAdminService
- Sophos AutoUpdate Service
- Sophos Client Firewall
- Sophos Client Firewall Manager
- OutpostFirewall
- TMBMServer
- TmPfw
- KPF4
- cmdAgent
- SbPF.Launcher
- SPF4
- acssrv
- It injects malicious codes into processes except the following:
- verclsid.exe
- rundll32.exe
- csrss.exe
- It creates the following registry:
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
- value: undefinedSystemundefined\igfxhs32.exe
- data: DisableNXShowUI
- It downloads a file from the following URL:
- http://143.{Removed}.28/a{Removed}s/datalog2.txt
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |