Home / malware Virus:Win32/Expiro.AO
First posted on 03 May 2013.
Source: MicrosoftAliases :
Virus:Win32/Expiro.AO is also known as Win32/Expiro.Gen (AhnLab), W32/Expiro.W (Command), Virus.Win32.Expiro.w (Kaspersky), W32/Expiro.AR (Norman), Win32/Expiro.W (AVG), W32/Expiro.W (Avira), Win32.Expiro.AD (BitDefender), Win32.Expiro.23 (Dr.Web), Win32/Expiro.NAB virus (ESET), Virus.Win32.Expiro (Ikarus), W32/Expiro.gen.h (McAfee), Win32.Expiro.M (Rising AV), W32/Expiro-H (Sophos), W32.Xpiro.D (Symantec), PE_EXPIRO.RAP (Trend Micro).
Explanation :
Spreads via...
File infection
Virus:Win32/Expiro.AO infects files with the .EXE extension and files referenced by shortcut files (with the .LNK extension). It looks for .EXE files that are registered as services, and those with shortcut files located in the Programs folder in the Start Menu, your desktop, and the local Applications Data folder. It also infects all .EXE files found in drives C: to Z:.
It also disables Windows File Protection to infect protected files.
It infects files by appending its virus code as a section named ".PACK" to the target file. It also changes the entry point of the host file to execute the virus code. The virus code is always encrypted and the decryption key is different for each file.
It may create a copy of the infected file using the same file name but with the extension .VIR. For example, if this virus infects a file named "foo.exe", it may create an infected copy as "foo.vir", which is deleted after some time.
Payload
Steals sensitive information
Virus:Win32/Expiro.AO may collect the following sensitive information about your computer:
- Installed certificates
- Credit card details
- Credentials stored by FileZilla in "%AppData%\FileZilla\sitemanager.xml"
- Credentials stored by Firefox in "%AppData%\Mozilla\Firefox\Profiles"
- Credentials stored by Windows Protected Storage
- All Autocomplete entries stored by Internet Explorer under HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
It logs the stolen credentials in the following clean files:
- %LOCALAPPDATA%\wsr<number>zt32.dll, for example, wsr17zt32.dll
- %LOCALAPPDATA%\dfl<number>z32.dll, for example, dfl17z32.dll
- %LOCALAPPDATA%\kf<number>z32.dll, for example, kf17z32.dll
- %APPDATA%\<volume serial of the Windows system folder><number>.nls, for example, dcbfifcc17.nls
Lowers Internet Explorer security settings
Virus:Win32/Expiro.AO lowers your Internet Explorer security by changing the following settings; these settings allow unsecured content to be displayed in all zones and allow status bar updates via scripts:
In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Allows content of mixed security to display across all zones:
Sets value:"1609"
With data: "0"
Allows status bar updates via scripts:
Sets value: "2103"
With data: "0"
Accesses data sources across domains:
Sets value: "1406" With data: "0"
Allows backdoor access and control
Virus:Win32/Expiro.AO can connect to a server and receive commands from a remote attacker. Some of the servers it has been observed to connect to for this purpose are:
- antiviral-tstlist.biz
- buybrains-uneedit.com
- gektar-promarenda.ru
- grewz-platker.ru
- indirs-iran.ws
- indirs-iran2012.ws
- insecto-lastar.ru
- kgbrelaxxlub.ru
- kidos-bank.ru
- license-policy2012.ru
- lowlol-casting.ru
- nakedpianorulez.cc
- relectroshock.ru
- samohodka-ww3.ru
- systemwindowsfrom.ru
- terrtrashing.cc
- windows-vistamilenium.ru
- xverified.ru
Disables security software
Virus:Win32/Expiro.AO might try to close the following services and programs, which are connected to the security of your computer:
- MSASCui.exe - Windows Defender program
- MsMpSvc - Microsoft Protection service
- MsSecEs.exe - Microsoft Security Essentials programNisSrv - Network Inspection service
- TCPView.exe - Network Traffic Viewer program by Sysinternals
- WinDefend - Windows Defender service
- Wscsvc - Windows Security Center service
Installs a Firefox extension
Virus:Win32/Expiro.AO installs a Firefox extension that redirects web access from certain sites to others. Some of the sites it is known to redirect to are:
- chingiz-khan.cc
- deadscadanow.ru
- fairy-tailpigz.in
- fukushima-atom.ru
- hitechspacexplore.su
- ijmash-gunschk.ru
- installfree-ware.in
- karavjan-pakistan.net
- kevlar-xguard.ru
- kooperativ-progapanda.ru
- kormprokorm.in
- lybia-bizovernet.su
- pasha-mers600.ru
- savethewhaleasshle.ru
- stainlesssteelratz.cc
- thegreatesaakbar.biz
- unconejitasolo.ru
- vahhao-byte.ru
- windows7-system.ru
- xray-lagometer.cc
The extension is installed in the Firefox extension folder as the following files:
- <Firefox plugin folder>\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js
- <Firefox plugin folder>\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf
- <Firefox plugin folder>\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar
- <Firefox plugin folder>\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest
Aside from redirecting access to certain websites, the extension can also:
Additional information
- Log information that you fill in on websites
- Send the logged information to a remote server
- Monitor the websites you visit
- Receive a new server list to communicate with
- Disable security settings related to Internet browsing
Virus:Win32/Expiro.AO creates mutexes to ensure that only one instance of itself is running. The mutex may include one or more of the following formats:
- kkq-vx_mtx<number>
- gazavat-svc
- gazavat-svc_<number>
For example, kkq-vx_mtx17 or gazavat-svc_17.
Analysis by Daniel Chipiristeanu
Last update 03 May 2013