Spreads via...
File infection
Virus:Win32/Expiro.BA spreads by infecting all EXE files found in drives C to Z. It infects files by appending code to target files. It creates a temporary copy of the infected file using the same name but with the extension VIR; for example, if this virus infects the file notepad.exe, then it might create an infected copy as notepad.vir, which it eventually renames back to notepad.exe.
It disables Windows File Protection to infect protected files. It also lists the services that are running in your PC, and infects the executables that run these processes.
Payload
Disables security software
Virus:Win32/Expiro.BA might try to close the following services and programs:
- Wscsvc - Windows Security Center service
- WinDefend - Windows Defender service
- NisSrv - Network Inspection service
- MsMpSvc - Microsoft Protection service
- MSASCui - Windows Defender program
- MsSecEs.exe - Microsoft Security Essentials program
- TCPView - Network Traffic Viewer by Sysinternals
It might also uninstall the antivirus software located in the %ProgramFiles%\Microsoft Security Client folder.
Steals sensitive information
Virus:Win32/Expiro.BA collects the following sensitive information:
- Installed certificates
- Passwords stored by FileZilla
- Credentials stored by Windows Protected Storage
- Credentials entered by users in different windows, for example, in Internet Explorer
- All autocomplete entries stored by Internet Explorer within the registry key HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
The stolen data is usually logged in %APPDATA%\p<number>_<number>.dll.
Allows hacker access
Virus:Win32/Expiro.BA might connect to the following servers to allow a hacker to control your PC:
- ebvtracking.cc
- febvtracking.cc
- grewz-platker.ru
- www1.hsbc.ca
- indirs-kemono.ws
- insecto-fiestar.ru
- kgbrelaxxlub.ru
- kidos-bank.ru
- kpz-coffestores.cc
- law-service2011.ru
- license-crewru.ru
- microavrc-com32bt.com
- navitelgeodbs.ru
- samohodka-ww2.ru
- verified.ru
Virus:Win32/Expiro.BA can do the following:
- Upload the collected information
- Stop the malware process
- Download and run other malware
Redirects website access
Virus:Win32/Expiro.BA can install Firefox and Google Chrome extensions, which redirects your browser to these websites when you try to visit certain websites:
- gattling-firepower666.biz
- global-shariat2030.ru
- hlop-v-lob.ru
- ivan-tarakanov1975.org
- japan-flowersx343.net
- jopa-s-ushami.biz
- law-service2011.ru
- oil-sibtrans-gaz.ru
- sanitar-lesa.ru
- zionist-govt3000.com
Lowers Internet Explorer security
Virus:Win32/Expiro.BA changes certain security settings in Internet Explorer by making the following registry changes:
In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Allows insecure content to display across all zones in Internet Explorer:
Sets value: "1609"
With data: "0"
Allows status bar updates via scripts:
Sets value: "2103"
With data: "0"
Accesses data sources across domains:
Sets value: "1406"
With data: "0"
Additional information
Virus:Win32/Expiro.BA uses the following mutex names to make sure that a single active copy of itself is running at any time.
- kkq-vx_mtx<incremental number>
- gazavat-svc
- gazavat-svc_<number>
Analysis by Mihai Calota
