Virus:Win32/Expiro.V is a detection of a virus that infects executable files on all drives and collects various credentials on an infected computer.
Spreads via...
File infection
Virus:Win32/Expiro.V targets files with .EXE file extension. The virus disables Windows File Protection to allow the infection of protected system files.
When an infected program is run, the virus infects all EXE files, including files referenced by shortcut link files (.LNK). The virus first begins infecting executable files that run as a system service and infecting files referenced by desktop shortcuts, and in the Start Menu under Programs. Next, Virus:Win32/Expiro.V disables System File Checker (SFC) for SFC-protected files.
Payload
Allows backdoor access and control
Virus:Win32/Expiro.V connects to a remote server to receive commands from a remote attacker. The following is a list of servers it attempts to connect to:
- avcheck.biz
- avcheck.ru
- avcheck.ru
- avcheckx2011.ru
- barclays.com
- cashing.cc
- cashing.cc
- directconnection.ws
- directconnection.ws
- gronx-planets.ru
- hsbc.ca
- kgbrelaxclub.ru
- kidos-bank.ru
- laurentianbank.ca
- ppshafromhugewar.ru
- smellsliketervana.com
- virtest.com
- virtest.com
Note: Some of the servers mentioned above may not be malicious.
Downloads arbitrary files
Virus:Win32/Expiro.V drops following file to store collected credential information from infected computer:
- %AppData%\<random file name>.dll (for example, %AppData%\wsr17zt32.dll)
Steals sensitive information
Virus:Win32/Expiro.V tries to collect the following information:
- Credentials stored by FileZilla in file %AppData%\FileZilla\sitemanager.xml
- Credentials stored by Filefox under %AppData%\Mozilla\Firefox\Profiles
- Credentials stored by Windows Protected Storage
- Installed certificates
- Passwords stored by IE under HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- User inputs into a specific window
Redirects web access
Virus:Win32/Expiro.V tries to install a Firefox extension that may redirect web access to following domains:
- smellsliketervana.com
- office-rents24.ru
- moscow-nightware.com
- kaspersky-antinod.biz
- tutmos-history.ru
- corporal-johnlan.com
- lasersquad1996.com
- zae-biznes.com
- nae-biznes.ru
- gosdep-mskcity.ru
- advokat-spb18.ru
- grilled-mushrooms.cc
- million-megadoz.com
- cannabis-anabioz.org
- nsdap-party.org
- podstava-bank.ru
- da-zdra-per-ma.com
- headshot-freelance.com
Additional information
The malware may generate pseudo-random '.com' and '.ru' domains such as the following:
- rcusa-bifik.com
- rdecub-ydyg.ru
- rfuvub-ohap.ru
- rgefa-bugin.com
- rjixab-ekew.ru
- rkegy-bikav.com
- rmyjo-boneb.com
- rpykyb-aquh.ru
- rsymi-betop.com
- rvypeb-yxav.ru
- rzuqib-ubyc.ru
Analysis by Rodel Finones & Shawn Wang
