MSIL/Injector.FPV!tr is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as MSIL/Injector.FPV!tr may have varying behavior.
Below are examples of some of these behaviors.
- Copies itself to the System folder as compmasf.exe.
- Adds the following registry to enable its automatic execution:
- key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: cliccdll
- data: undefinedSystemundefined\compmasf.exe
- Attempts to connect to the following HTTP server to acquire malicious commands:
- The malware acquires commands from the above server, executes them, and sends a report through PHP pages with randomized names that are on the malware server. Below are examples of the names of these PHP pages:
- The original copy of the malware is deleted after execution.
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.