Follow:

 

Virus:Win32/Expiro.V


Virus:Win32/Expiro.V is a detection of a virus that infects executable files on all drives and collects various credentials on an infected computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Virus:Win32/Expiro.V is a detection of a virus that infects executable files on all drives and collects various credentials on an infected computer.

Spreads via...

File infection

Virus:Win32/Expiro.V targets files with .EXE file extension. The virus disables Windows File Protection to allow the infection of protected system files.

When an infected program is run, the virus infects all EXE files, including files referenced by shortcut link files (.LNK). The virus first begins infecting executable files that run as a system service and infecting files referenced by desktop shortcuts, and in the Start Menu under Programs. Next,Virus:Win32/Expiro.V disables System File Checker (SFC) for SFC-protected files.

Payload

Allows backdoor access and control

Virus:Win32/Expiro.V connects to a remote server to receive commands from a remote attacker. The following is a list of servers it attempts to connect to:

  • avcheck.biz
  • avcheck.ru
  • avcheck.ru
  • avcheckx2011.ru
  • barclays.com
  • cashing.cc
  • cashing.cc
  • directconnection.ws
  • directconnection.ws
  • gronx-planets.ru
  • hsbc.ca
  • kgbrelaxclub.ru
  • kidos-bank.ru
  • laurentianbank.ca
  • ppshafromhugewar.ru
  • smellsliketervana.com
  • virtest.com
  • virtest.com

Note: Some of the servers mentioned above may not be malicious.

Downloads arbitrary files

Virus:Win32/Expiro.V drops following file to store collected credential information from infected computer:

  • %AppData% \<random file name>.dll (for example, %AppData%\wsr17zt32.dll)

Steals sensitive information

Virus:Win32/Expiro.V tries to collect the following information:

  • Credentials stored by FileZilla in file %AppData%\FileZilla\sitemanager.xml
  • Credentials stored by Filefox under %AppData%\Mozilla\Firefox\Profiles
  • Credentials stored by Windows Protected Storage
  • Installed certificates
  • Passwords stored by IE under HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  • User inputs into a specific window

Redirects web access

Virus:Win32/Expiro.V tries to install a Firefox extension that may redirect web access to following domains:

  • smellsliketervana.com
  • office-rents24.ru
  • moscow-nightware.com
  • kaspersky-antinod.biz
  • tutmos-history.ru
  • corporal-johnlan.com
  • lasersquad1996.com
  • zae-biznes.com
  • nae-biznes.ru
  • gosdep-mskcity.ru
  • advokat-spb18.ru
  • grilled-mushrooms.cc
  • million-megadoz.com
  • cannabis-anabioz.org
  • nsdap-party.org
  • podstava-bank.ru
  • da-zdra-per-ma.com
  • headshot-freelance.com
Additional information

The malware may generate pseudo-random '.com' and '.ru' domains such as the following:

  • rcusa-bifik.com
  • rdecub-ydyg.ru
  • rfuvub-ohap.ru
  • rgefa-bugin.com
  • rjixab-ekew.ru
  • rkegy-bikav.com
  • rmyjo-boneb.com
  • rpykyb-aquh.ru
  • rsymi-betop.com
  • rvypeb-yxav.ru
  • rzuqib-ubyc.ru

Analysis by Rodel Finones & Shawn Wang


Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.103.209.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Apr 21, 2011
This entry was first published on: Apr 21, 2011
This entry was updated on: Nov 10, 2011

This threat is also detected as:
  • W32/Expiro.O (Command)
  • Virus.Win32.Expiro.w (Kaspersky)
  • W32/Expiro.W (Norman)
  • Win32.Expiro.Gen.3 (VirusBuster)
  • Win32/Expiro.O (AVG)
  • Win32.Expiro.T (BitDefender)
  • Win32/Xpiro.A (CA)
  • Virus.Win32.Expiro (Ikarus)
  • W32/Expiro.gen.g (McAfee)
  • W32/Expiro-H (Sophos)
  • Virus.Win32.Expiro.i (Sunbelt Software)
  • W32.Xpiro.D (Symantec)