Home / malwarePDF  

Virus:Win32/Expiro.gen!F


First posted on 29 November 2011.
Source: SecurityHome

Aliases :

Virus:Win32/Expiro.gen!F is also known as Win32/Expiro.G (AhnLab), W32/Expiro.O (Command), W32/Expiro.W (Norman), Win32.Expiro.Gen.3 (VirusBuster), Win32/Expiro.W (AVG), Win32.Expiro.30 (Panda), Virus.Win32.Expiro (Ikarus), Virus.Win32.Expiro.w (Kaspersky), W32/Expiro.gen.h (McAfee), W32/Expiro-H (Sophos), W32.Xpiro.D (Symantec), PE_EXPIRO.RAP (Trend Micro).

Explanation :

Virus:Win32/Expiro.gen!F is a generic detection for variants of Win32/Expiro, a virus that infects executable files with .EXE extensions in all drives, and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer settings.


Top

Virus:Win32/Expiro.gen!F is a generic detection for variants of Win32/Expiro, a virus that infects executable files with .EXE extensions in all drives, and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer settings.



Installation

Virus:Win32/Expiro.gen!F ensures that only a single version of itself is running at any given time by creating the following mutexes:

  • kkq-vx_mtx <incremental number>
  • gazavat-svc
  • gazavat-svc_ <number>


For example, kkq-vx_mtx17 to kkq-vx_mtx99, gazavat-svc_17, gazavat-svc_18.

Spreads via...

File infection

Virus:Win32/Expiro.gen!F infects executable files with .EXE extensions and files referenced by shortcut (LNK) files. It looks for EXE files that are registered as services, those that are located in the Programs folder in the Start Menu, the user's desktop, and the local Applications Data folder.

It also infects all EXE files found in drives C to Z.

Virus:Win32/Expiro.gen!F infects files by appending its virus code to these files. It may then create a copy of the infected file using the same file name but with the extension IVR. For example, if this virus infects the file "calc.exe", it may create an infected copy as "calc.ivr".

The virus also disables Windows File Protection in order to infect protected files.



Payload

Steals sensitive information

Virus:Win32/Expiro.gen!F collects the following sensitive information:

  • Installed certificates
  • Credentials stored by FileZilla
  • Credentials stored by Windows Protected Storage
  • Credentials entered by users in different windows, for example, in Internet Explorer
  • Passwords stored by Internet Explorer, within the following registry entry: HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2


It logs the stolen credentials in the following non-malicious files:

  • %localappdata%\kf<number>z32.dll , for example, kf17z32.dll
  • %localappdata%\dfl<number>z32.dll , for example, dfl17z32.dll
  • %localappdata%\wsr <number>zt32.dll, for example, wsr17zt32.dll
  • %localappdata%\ <volume serial of the Windows system folder><number>.nls, for example, dcbfifcc17.nls
  • %appdata%\p <number>_<number>.dll, for example, p17_17.dll, p18_18.dll


Allows backdoor access and control

Virus:Win32/Expiro.gen!F connects to a server to receive commands from a remote attacker.

Depending on the variant, Win32/Expiro has been observed to connect to the following servers:

  • antiviral-tstlist.biz
  • avcheck.biz
  • avcheck.biz
  • avcheck.ru
  • avcheck.ru
  • avcheckx2011.ru
  • barclays.com
  • cashing.cc
  • cashing.cc
  • directconnection.ws
  • directconnection.ws
  • ganzagroup.com
  • ganzagroup.in
  • gektar-promarenda.ru
  • gronx-planets.ru
  • hsbc.ca
  • kgbrelaxclub.ru
  • kidos-bank.ru
  • laurentianbank.ca
  • law-service2011.ru
  • license-crewru.ru
  • license-policy2012.ru
  • lowlol-casting.ru
  • ppshafromhugewar.ru
  • samohodka-ww2.ru
  • samohodka-ww3.ru
  • skolkovo-bizrents2012.ru
  • smellsliketervana.com
  • verified.ru
  • virtest.com
  • virtest.com
  • xverified.ru


Note: Some of the above servers may not be malicious.

At any given time, it can also generate pseudo-random '.com' and '.ru' set of domains such as the following:

  • <char>decub-ydyg.ru
  • <char>gefa-bugin.com
  • <char>kegy-bikav.com
  • <char>pykyb-aquh.ru
  • <char>symi-betop.com
  • <char>vypeb-yxav.ru
  • <char>zuqib-ubyc.ru
  • <char>cusa-bifik.com
  • <char>fuvub-ohap.ru
  • <char>jixab-ekew.ru
  • <char>lizyb-ypud.ru
  • <char>pibob-urok.ru
  • <char>ridyb-ivar.ru
  • <char>vofib-oxyx.ru
  • <char>zojeb-abif.ru
  • <char>bokib-efal.ru
  • <char>famab-yjes.ru
  • <char>hapub-uluz.ru


Where <char> is random character selected such as €˜h', €˜t', €˜v', and €˜r' (for example, rdecub-ydyg.ru, vcusa-bifik.com, and tjixab-ekew.ru).

It can perform any of the following actions, based on the commands of the remote attacker:

  • Disable antivirus protection
  • Collect and upload user credentials
  • Terminate the malware process
  • Download malware components


It also sends information about the infected computer every time it connects to the remote server:

  • Operating System version information
  • Windows Product ID
  • Locale
  • Volume serial number of drive C


Redirects website access

Virus:Win32/Expiro.gen!F installs a Firefox extension that redirects web access from certain sites to others.

Depending on the variant of Win32/Expiro, it is known to redirect to the following servers:

  • advokat-spb18.ru
  • attorney-at-jew.ru
  • cannabis-anabioz.org
  • da-zdra-per-ma.com
  • fettucini-mushfood.biz
  • ganzagroup.net
  • gattling-firepower666.biz
  • gosdep-mskcity.ru
  • govt-comission2011.ru
  • grilled-mushrooms.cc
  • headshot-freelance.com
  • hlop-v-lob.ru
  • ivan-tarakanov1975.org
  • japan-flowersx343.net
  • jopa-s-ushami.biz
  • kaspersky-antinod.biz
  • kevlar-xguard.ru
  • lasersquad1996.com
  • maha-krishna-ashram.in
  • mellsliketervana.com
  • million-megadoz.com
  • mobbine.com
  • mossad-torg.ru
  • nae-biznes.ru
  • nsdap-party.org
  • office-rents24.ru
  • oil-sibtrans-gaz.ru
  • rmobbine.com
  • s350.in
  • sanitar-lesa.ru
  • save-galapagos-turtles.biz
  • smellsliketervana.com
  • xray-lagometer.org
  • zae-biznes.com
  • zionist-govt3000.com


Modifies browser settings

Virus:Win32/Expiro.gen!F makes the following registry modifications in order to change the security settings in Internet Explorer:

In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"
Sets value: "2103"
With data: "0"
Sets value: "1406"
With data: "0"

These settings allow unsecured content to be displayed in all zones and allow status bar updates via scripts.



Analysis by Rodel Finones

Last update 29 November 2011

 

TOP

Malware :

Family: