Installation
Win32/Expiro makes sure only one version of itself is running at any time by creating the following mutexes:
- kkq-vx_mtx<incremental number>, for example, kkq-vx_mtx17 to kkq-vx_mtx99
- gazavat-svc
- gazavat-svc_<number>, for example, gazavat-svc_17
Spreads through...
File infection
Win32/Expiro infects .EXE files and files referenced by shortcut (.LNK) files. It looks for .EXE files that are registered as services, found in the Programs folder in the Start Menu, your desktop, and the local Applications Data folder. It also infects all .EXE files found in drives C to Z.
Win32/Expiro infects files by appending its virus code to these files. It can then create a copy of the infected file using the same file name but with the extension .IVR. For example, if this virus infects the file calc.exe, it will then create an infected copy called calc.ivr. The virus also disables Windows File Protection to infect protected files.
Payload
Steals sensitive information
Win32/Expiro collects the following sensitive information:
-
Installed certificates
-
Credentials stored by FileZilla
-
Credentials stored by Windows Protected Storage
-
Credentials entered by users in different windows, for example, in Internet Explorer
It logs the stolen credentials in the following non-malicious files:
- %LOCALAPPDATA%\kf<number>z32.dll, for example, kf17z32.dll
- %LOCALAPPDATA%\dfl<number>z32.dll, for example, dfl17z32.dll
- %LOCALAPPDATA%%\wsr<number>zt32.dll, for example, wsr17zt32.dll
- %LOCALAPPDATA%\<volume serial of system folder><number>.nls, for example, dcbfifcc17.nls
- %APPDATA%\p<number>_<number>.dll, for example, p17_17.dll
Allows backdoor access and control
Win32/Expiro is able to connect to a server and receive commands from a remote malicious hacker. Some of the servers we have seen it connect to are:
- antiviral-tstlist.biz
- avcheck.biz
- avcheck.ru
- barclays.com
- cashing.cc
- directconnection.ws
- ganzagroup.com
- ganzagroup.in
- gektar-promarenda.ru
- gronx-planets.ru
- kgbrelaxclub.ru
- kidos-bank.ru
- law-service2011.ru
- license-crewru.ru
- license-policy2012.ru
- lowlol-casting.ru
- ppshafromhugewar.ru
- samohodka-ww2.ru
- samohodka-ww3.ru
- skolkovo-bizrents2012.ru
- smellsliketervana.com
- verified.ru
- virtest.com
- www.avcheck.biz
- www.avcheck.ru
- www.avcheckx2011.ru
- www.cashing.cc
- www.directconnection.ws
- www.laurentianbank.ca
- www.virtest.com
- www1.hsbc.ca
- xverified.ru
Note: some of the above servers may not be malicious.
There is also a chance the malware will generate pseudo-random .com and .ru domains such as the following:
-
<char>decub-ydyg.ru
-
<char>gefa-bugin.com
-
<char>kegy-bikav.com
-
<char>pykyb-aquh.ru
-
<char>symi-betop.com
-
<char>vypeb-yxav.ru
-
<char>zuqib-ubyc.ru
-
<char>cusa-bifik.com
-
<char>fuvub-ohap.ru
-
<char>jixab-ekew.ru
-
<char>lizyb-ypud.ru
-
<char>pibob-urok.ru
-
<char>ridyb-ivar.ru
-
<char>vofib-oxyx.ru
-
<char>zojeb-abif.ru
-
<char>bokib-efal.ru
-
<char>famab-yjes.ru
-
<char>hapub-uluz.ru
The random character <char> can be h, t, v, or r, for example rdecub-ydyg.ru, vcusa-bifik.com and tjixab-ekew.ru.
It can perform any of the following actions, based on the commands of the malicious hacker:
-
Disable antivirus protection
-
Collect and upload user credentials
-
Stop the malware process
-
Download malware components
It also sends information about your PC every time it connects to the remote server, including:
Redirects website access
Win32/Expiro installs a Firefox extension that redirects web access from certain sites to others. Some of the sites it is known to redirect to are:
Lowers Internet Explorer security
Win32/Expiro modifies the following settings via the system registry that affect the Internet Explorer security settings:
In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"
Sets value: "2103"
With data: "0"
Sets value: "1406"
With data: "0"
These settings allow unsecured content to be displayed in all zones and allow status bar updates via scripts.
Analysis by Rodel Finones
