Home / malwarePDF  

Virus:Win32/Expiro.BC


First posted on 07 February 2013.
Source: Microsoft

Aliases :

Virus:Win32/Expiro.BC is also known as Win32/Expiro4.Gen (AhnLab), Virus found Win32/Expiro (AVG), Win32/Expiro.NAN virus (ESET), W32/Expiro.gen.n (McAfee), Win32.Expiro.V (Rising AV), W32.Xpiro.D (Symantec).

Explanation :



Spreads via...

File infection

Virus:Win32/Expiro.BC searches for and infects EXE files from drives C: to Z:. It infects files by appending its virus code as a section named ".vmp0" to the target file.

It may create a copy of the infected file using the same file name but with the extension VIR. For example, if this virus infects a file named "foo.exe", it may create an infected copy as "foo.vir", which is deleted after some time.

If this virus targets a protected file, it disables Windows File Protection to infect the file.



Payload

Steals sensitive information

Virus:Win32/Expiro.BC may collect the following sensitive information about your computer:

  • Installed certificates
  • Credentials stored by FileZilla
  • Credentials stored by Windows Protected Storage
  • Credentials stored by users, for example, in Internet Explorer


It logs the stolen credentials in the following clean files:

  • %LOCALAPPDATA%\wsr<number>zt32.dll, for example, wsr27zt32.dll
  • %APPDATA%\<volume serial of the Windows system folder><number>.nls, for example, fcjejege27.nls


Modifies Internet Explorer settings

Virus:Win32/Expiro.BC lowers your Internet Explorer security by changing the following settings:

In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4

Allows content of mixed security to display across all zones:
Sets value:"1609"
With data: "0"

Allows status bar updates via scripts:
Sets value: "2103"
With data: "0"

Accesses data sources across domains:
Sets value: "1406" With data: "0"

Additional information

Virus:Win32/Expiro.BC creates mutexes to ensure that only one instance of itself is running. The mutex may include one or more of the following formats:

  • kkq-vx_mtx<number>
  • gazavat-svc
  • gazavat-svc_<number>


For example, kkq-vx_mtx1 or gazavat-svc_27.



Analysis by Rex Plantado

Last update 07 February 2013

 

TOP

Malware :

Family: