Virus:Win32/Expiro.W is the detection for a virus that infects EXE files in all drives and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer settings.
Installation
Virus:Win32/Expiro.W ensures that only a single version of itself is running at any given time by creating the following mutexes:
- kkq-vx_mtx<incremental number>
- gazavat-svc
- gazavat-svc_<number>
For example, kkq-vx_mtx17 to kkq-vx_mtx99, and gazavat-svc_17
Spreads via...
File infection
Virus:Win32/Expiro.W infects EXE files and files referenced by shortcut (LNK) files. It looks for EXE files that are registered as services, those that are located in the Programs folder in the Start Menu, the user's desktop, and the local Applications Data folder. It also infects all EXE files found in drives C to Z.
Virus:Win32/Expiro.W infects files by appending its virus code to these files. It may then create a copy of the infected file using the same file name but with the extension IVR. For example, if this virus infects the file "calc.exe", this virus may create an infected copy as "calc.ivr".
The virus also disables Windows File Protection to infect protected files.
Payload
Steals sensitive information
Virus:Win32/Expiro.W collects the following sensitive information:
- Installed certificates
- Credentials stored by FileZilla
- Credentials stored by Windows Protected Storage
- Credentials entered by users in different windows, for example, in Internet Explorer
It logs the stolen credentials in the following non-malicious files:
- %localappdata%\kf<number>z32.dll, for example, kf17z32.dll
- %localappdata%\dfl<number>z32.dll, for example, dfl17z32.dll
- %localappdata%\wsr<number>zt32.dll, for example, wsr17zt32.dll
- %localappdata%\<volume serial of system folder><number>.nls, for example, dcbfifcc17.nls
- %appdata%\p<number>_<number>.dll, for example, p17_17.dll
Allows backdoor access and control
Virus:Win32/Expiro.W is able to connect to a server and receive commands from a remote attacker. Some of the servers it has been observed to connect to are:
- avcheck.biz
- avcheck.ru
- cashing.cc
- directconnection.ws
- gronx-planets.ru
- kgbrelaxclub.ru
- kidos-bank.ru
- law-service2011.ru
- license-crewru.ru
- samohodka-ww2.ru
- verified.ru
- virtest.com
- www.avcheck.biz
- www.avcheck.ru
- www.cashing.cc
- www.directconnection.ws
- www.virtest.com
- www1.hsbc.ca
Note that some of the above servers may not be malicious. There is a 15% chance the virus will generate pseudo-random '.com' and '.ru' domains such as the following:
- tdecub-ydyg.ru
- tgefa-bugin.com
- tkegy-bikav.com
- tmyjo-boneb.com
- tpykyb-aquh.ru
- tsymi-betop.com
- tvypeb-yxav.ru
- tzuqib-ubyc.ru
- tcusa-bifik.com
- tfuvub-ohap.ru
- tjixab-ekew.ru
- tlizyb-ypud.ru
It can perform any of the following actions, based on the commands of the remote attacker:
- Disable antivirus protection
- Collect and upload user credentials
- Terminate the malware process
- Download malware components
It also sends information about the infected computer every time it connects to the remote server:
- OS version information
- Windows Product ID
- Locale
- Volume serial number of drive C
Redirects website access
Virus:Win32/Expiro.W installs a Firefox extension that redirects web access from certain sites to others. Some of the sites it is known to redirect to are:
- global-shariat2030.ru
- oil-sibtrans-gaz.ru
- japan-flowersx343.net
- ivan-tarakanov1975.org
- zionist-govt3000.com
- gattling-firepower666.biz
- hlop-v-lob.ru
- sanitar-lesa.ru
- jopa-s-ushami.biz
Lowers Internet Explorer web browser security
Virus:Win32/Expiro.W modifies certain settings via the system registry that affect the Internet Explorer security settings:
In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"
Sets value: "2103"
With data: "0"
These settings allow unsecured content to be displayed in all zones and allow status bar updates via scripts.
Analysis by Rodel Finones
