Virus:Win32/Expiro.R is the detection for a virus that infects EXE files in all drives and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer settings.
Installation
Virus:Win32/Expiro.R ensures that only a single version of itself is running at any given time by creating the following mutexes:
- kkq-vx_mtx<incremental number>
- gazavat-svc
- gazavat-svc_<number>
For example, kkq-vx_mtx18 to kkq-vx_mtx99, and gazavat-svc_18
Spreads via...
File infection
Virus:Win32/Expiro.R infects EXE files and files referenced by shortcut (LNK) files. It looks for EXE files that are registered as services, those that are located in the Programs folder in the Start Menu, the user's desktop, and the local Applications Data folder. It also infects all EXE files found in drives C to Z.
Virus:Win32/Expiro.R infects files by appending its virus code to these files. It may then create a copy of the infected file using the same file name but with the extension IVR. For example, if this virus infects the file "calc.exe", this virus may create an infected copy as "calc.ivr".
It also disables Windows File Protection to infect protected files.
Payload
Steals sensitive information
Virus:Win32/Expiro.R collects the following sensitive information:
Installed certificates
Credentials stored by FileZilla
Credentials stored by Windows Protected Storage
Passwords stored by Internet Explorer, within the following registry entry:
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Credentials entered by users in different windows, for example, in Internet Explorer
It logs the stolen credentials in the following non-malicious files:
%localappdata%\kf<number>z32.dll, for example, kf18z32.dll
%localappdata%\dfl<number>z32.dll, for example, dfl18z32.dll
%localappdata%\wsr<number>zt32.dll, for example, wsr18zt32.dll
%localappdata%\<volume serial of system folder><number>.nls, for example, dcbfifcc18.nls
%appdata%\p<number>_<number>.dll, for example, p18_18.dll
Allows backdoor access and control
Virus:Win32/Expiro.R is able to connect to a server and receive commands from a remote attacker. Some of the servers it has been observed to connect to are:
antiviral-tstlist.biz
- avcheck.biz
- avcheck.ru
- cashing.cc
- directconnection.ws
- ganzagroup.com
- ganzagroup.in
- gektar-promarenda.ru
- gronx-planets.ru
- kgbrelaxclub.ru
- kidos-bank.ru
- license-policy2012.ru
- lowlol-casting.ru
- samohodka-ww3.ru
- virtest.com
- www.avcheck.biz
- www.avcheck.ru
- www.cashing.cc
- www.directconnection.ws
- www.virtest.com
- www1.hsbc.ca
- xverified.ru
Note that some of the above servers may not be malicious. There is a 15% chance the malware will generate pseudo-random '.com' and '.ru' domains, such as the following:
hdecub-ydyg.ru
- hgefa-bugin.com
- hkegy-bikav.com
- hmyjo-boneb.com
- hpykyb-aquh.ru
- hsymi-betop.com
- hvypeb-yxav.ru
- hzuqib-ubyc.ru
- hcusa-bifik.com
- hfuvub-ohap.ru
- hjixab-ekew.ru
- hlizyb-ypud.ru
- hpibob-urok.ru
It can perform any of the following actions, based on the commands of the remote attacker:
Disable antivirus protection
Collect and upload user credentials
Terminate the malware process
Download malware components
It also sends the following information to the remote server every time a connection is made:
Redirects website access
Virus:Win32/Expiro.R installs a Firefox extension that redirects web access from certain sites to others. Some of the sites it is known to redirect to are:
fairy-tailpigz.biz
fukushima-atom.ru
ganzagroup.net
ijmash-gunschk.ru
karavjan-pakistan.net
kevlar-xguard.ru
lybia-bizovernet.biz
pasha-mers600.ru
vahhao-byte.ru
xray-lagometer.org
Lowers Internet Explorer web browser security
Virus:Win32/Expiro.R modifies certain settings via the system registry that affect the Internet Explorer security settings:
In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"
Sets value: "2103"
With data: "0"
Sets value: "1406"
With data: "0"
These settings allow unsecured content to be displayed in all zones, allow status bar updates via scripts, and allow access to data sources across domains.
Analysis by Rodel Finones
