Home / malware Virus:Win32/Expiro.BA
First posted on 14 March 2013.
Source: MicrosoftAliases :
Virus:Win32/Expiro.BA is also known as W32/Expiro_gen.PG (Norman), Virus found Win32/Expiro (AVG), Virus.Win32.Expiro (Ikarus), W32/Expiro.gen.o (McAfee), Win32.Expiro.U (Rising AV), W32/Expiro-H (Sophos), W32.Xpiro.D (Symantec).
Explanation :
Spreads via...
File infection
Virus:Win32/Expiro.BA spreads by infecting all EXE files found in drives C to Z. It infects files by appending code to target files. It creates a temporary copy of the infected file using the same file name but with the extension VIR; for example, if this virus infects the file "notepad.exe", then it might create an infected copy as "notepad.vir", which it eventually renames back to "notepad.exe".
It disables Windows File Protection to infect protected files. It also enumerates the services that are running in your computer, and infects their executables.
Payload
Disables security software
Virus:Win32/Expiro.BA might try to close the following services and programs:
- Wscsvc - Windows Security Center service
- WinDefend - Windows Defender service
- NisSrv - Network Inspection service
- MsMpSvc - Microsoft Protection service
- MSASCui - Windows Defender program
- MsSecEs.exe - Microsoft Security Essentials program
- TCPView - Network Traffic Viewer by Sysinternals
It might also uninstall the antivirus software located in the "%ProgramFiles%\Microsoft Security Client" folder.
Steals sensitive information
Virus:Win32/Expiro.BA collects the following sensitive information:
- Installed certificates
- Passwords stored by FileZilla
- Credentials stored by Windows Protected Storage
- Credentials entered by users in different windows, for example, in Internet Explorer
- All autocomplete entries stored by Internet Explorer within HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
The stolen data may be logged in "%AppData%\p<number>_<number>.dll".
Allows backdoor access and control
Virus:Win32/Expiro.BA may connect to the following servers to allow a remote attacker access to your computer:
- ebvtracking.cc
- febvtracking.cc
- grewz-platker.ru
- www1.hsbc.ca
- indirs-kemono.ws
- insecto-fiestar.ru
- kgbrelaxxlub.ru
- kidos-bank.ru
- kpz-coffestores.cc
- law-service2011.ru
- license-crewru.ru
- microavrc-com32bt.com
- navitelgeodbs.ru
- samohodka-ww2.ru
- verified.ru
Virus:Win32/Expiro.BA can do the following:
- Upload the collected information
- Stop the malware process
- Download and run other malware
Redirects website access
Virus:Win32/Expiro.BA can install Firefox and Google Chrome extensions, which redirect access from certain sites to the following servers:
- gattling-firepower666.biz
- global-shariat2030.ru
- hlop-v-lob.ru
- ivan-tarakanov1975.org
- japan-flowersx343.net
- jopa-s-ushami.biz
- law-service2011.ru
- oil-sibtrans-gaz.ru
- sanitar-lesa.ru
- zionist-govt3000.com
Lowers Internet Explorer security
Virus:Win32/Expiro.BA changes certain security settings for Internet Explorer, allowing unauthorized content to run across all security zones, by making the following registry changes:
In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Allows content of mixed security to display across all zones
Sets value: "1609"
With data: "0"
Allows status bar updates via scripts
Sets value: "2103"
With data: "0"
Accesses data sources across domains
Sets value: "1406"
With data: "0"
Additional information
Virus:Win32/Expiro.BA uses the following mutex names to make sure that a single active copy of itself is running at any time.
- kkq-vx_mtx<incremental number>
- gazavat-svc
- gazavat-svc_<number>
Analysis by Mihai Calota
Last update 14 March 2013