Malware

MSIL/Injector.KDI removal

Malware Removal

The MSIL/Injector.KDI is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What MSIL/Injector.KDI virus can do?

  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • .NET file is packed/obfuscated with Confuser
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Behavioural detection: Injection (inter-process)
  • CAPE detected the DarkComet malware family
  • Creates a copy of itself
  • Interacts with known DarkComet registry keys
  • Creates known Fynloski/DarkComet mutexes
  • Anomalous binary characteristics

How to determine MSIL/Injector.KDI?


File Info:

name: F91C73D46F534C635E08.mlw
path: /opt/CAPEv2/storage/binaries/c98ec8add426ae470df8df9d9c9fe06ffdf3c6a137d3d4e04ec633365d11c884
crc32: 51EBF379
md5: f91c73d46f534c635e084ef78f82d452
sha1: 0b92b7b215966f5fe8e105a67d363d72bdbae59f
sha256: c98ec8add426ae470df8df9d9c9fe06ffdf3c6a137d3d4e04ec633365d11c884
sha512: 2b92e0d35d4822b67861d6cf72a25d5f6cb7c0275e07a051e08ef36c02c4e2bafad851507a400d090d6d664bac5c02c26f8b5a5ddc063f403527ed018935ae1b
ssdeep: 12288:1mki+yVwGvOpxf7fAC8Xys+11lAPocZU2l5ChG96:IgGvO7TfuXys+11SPK2S
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T127B4DF2129EF505DF3A39FB15FD8B9EF899AF273251E30B620420B468722E94CD52735
sha3_384: 4a675632ba0cb634251e29e6316c8c4af110038a407a31e00426fc62dd0d0a8459e6ffad83e32fdc5cb1b54326fe408c
ep_bytes: ff250020400000000000000000000000
timestamp: 2014-11-14 07:01:22

Version Info:

FileDescription: Block Level Backup Engine
InternalName: RNSETUP
OriginalFilename: RNSetup.DLL
ProductName: Shell executable of Setup program (32-bit)
FileVersion: 17.0.15.10
ProductVersion: 17.0.15.10
CompanyName: RealNetworks, Inc.
LegalCopyright: Copyright © RealNetworks, Inc. 1995-2012
LegalTrademarks: RealAudio(tm) is a trademark of RealNetworks, Inc.
Translation: 0x0409 0x04e4

MSIL/Injector.KDI also known as:

BkavW32.AIDetectNet.01
LionicTrojan.Win32.Generic.4!c
tehtrisGeneric.Malware
MicroWorld-eScanGen:Heur.MSIL.Krypt.11
FireEyeGeneric.mg.f91c73d46f534c63
CAT-QuickHealBackdoor.Fynloski.A3
McAfeeArtemis!F91C73D46F53
ZillyaBackdoor.Androm.Win32.14804
SangforSuspicious.Win32.Save.a
K7AntiVirusRiskware ( 0040eff71 )
K7GWRiskware ( 0040eff71 )
Cybereasonmalicious.46f534
BitDefenderThetaGen:NN.ZemsilF.34682.Gm0@a4@sqmbi
SymantecML.Attribute.HighConfidence
Elasticmalicious (high confidence)
ESET-NOD32a variant of MSIL/Injector.KDI
KasperskyBackdoor.Win32.Androm.fykt
BitDefenderGen:Heur.MSIL.Krypt.11
NANO-AntivirusTrojan.Win32.Androm.dmgfwp
CynetMalicious (score: 100)
AvastWin32:Agent-AWNK [Trj]
Ad-AwareGen:Heur.MSIL.Krypt.11
EmsisoftGen:Heur.MSIL.Krypt.11 (B)
VIPREGen:Heur.MSIL.Krypt.11
McAfee-GW-EditionBehavesLike.Win32.Generic.hc
SentinelOneStatic AI – Malicious PE
Trapminemalicious.high.ml.score
SophosML/PE-A + Mal/MSIL-KL
APEXMalicious
GDataGen:Heur.MSIL.Krypt.11
AviraTR/Dropper.MSIL.Gen
MicrosoftTrojan:Win32/Wacatac.B!ml
GoogleDetected
AhnLab-V3Win-Trojan/MDA.630F094C.X1408
Acronissuspicious
VBA32Dropper.MSIL.gen
ALYacGen:Heur.MSIL.Krypt.11
MAXmalware (ai score=81)
RisingTrojan.Generic/MSIL@AI.97 (RDM.MSIL:RIVQYa5EcAKrAgp/G/CzdA)
YandexBackdoor.Androm!cW/X1zbv648
IkarusTrojan-PSW.Win32.Tepfer
MaxSecureTrojan.Malware.300983.susgen
FortinetMSIL/GHQ.KL!tr
AVGWin32:Agent-AWNK [Trj]
PandaTrj/CI.A
CrowdStrikewin/malicious_confidence_100% (W)

How to remove MSIL/Injector.KDI?

MSIL/Injector.KDI removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment