Virus

MSIL/Injector.FOF!tr

Analysis

It drops a copy of itself as msimw.exe in the All Users' Profile folder.

The following registry modifications are applied:
- HKCU\Software\Microsoft\CurrentVersion\Policies\Explorer\Run
  - [RandomNumber] = undefinedAllUsersProfileundefined\msimw.exe
  This automatically executes the dropped file every time the infected user logs on.

The malware arrives as an attachment to a spammed mail using the following possible details:
- Subject: my new photo ;)
- Body: my new photo ;)
- Attachment Filename: photo.zip

The malware attempts to connect to the following site:
- ddnserv{Removed}.ru

The original copy of the malware is deleted after execution.

Recommended Action

Make sure that your FortiGate/FortiClient system is using the latest AV database.
Quarantine/delete files that are detected and replace infected files with clean backup copies.

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date	Version	Detail
2021-11-30	89.07343
2019-10-08	72.18000	Sig Updated

ID	6425202
Released	Sep 30, 2014
Description Updated	Nov 20, 2014
Aliases	Backdoor.Win32.Androm.fbrs (KAV), Win32/TrojanDownloader.Wauchos.AF trojan (NOD32), Troj/MSIL-ALM (Sophos)
Platform Profile	Microsoft Intermediate Language (used for MSIL compiled binaries)