Home / malware Win32/Expiro
First posted on 23 January 2014.
Source: MicrosoftAliases :
There are no other names known for Win32/Expiro.
Explanation :
Threat behavior
Installation
Win32/Expiro makes sure only one version of itself is running at any time by creating the following mutexes:
- kkq-vx_mtx
, for example,kkq-vx_mtx17 to kkq-vx_mtx99 - gazavat-svc
- gazavat-svc_
, for example, gazavat-svc_17
Spreads via...
File infection
Win32/Expiro infects .EXE files and files referenced by shortcut (.LNK) files. It looks for E.XE files that are registered as services, found in the Programs folder in the Start Menu, your desktop, and the local Applications Data folder. It also infects all .EXE files found in drives C to Z. Win32/Expiro infects files by appending its virus code to these files. It can then create a copy of the infected file using the same file name but with the extension .IVR. For example, if this virus infects the file calc.exe, it will then create an infected copy called calc.ivr. The virus also disables Windows File Protection to infect protected files.
Payload
Steals sensitive information
Win32/Expiro collects the following sensitive information:It logs the stolen credentials in the following non-malicious files:
- Installed certificates
- Credentials stored by FileZilla
- Credentials stored by Windows Protected Storage
- Credentials entered by users in different windows, for example, in Internet Explorer
- %LOCALAPPDATA% \kf
z32.dll, for example, kf17z32.dll - %LOCALAPPDATA% \dfl
z32.dll, for example, dfl17z32.dll - %LOCALAPPDATA% %\wsr
zt32.dll, for example, wsr17zt32.dll - %LOCALAPPDATA% \
.nls, for example, dcbfifcc17.nls - %APPDATA% \p
_ .dll, for example, p17_17.dll
Allows backdoor access and control
Win32/Expiro is able to connect to a server and receive commands from a remote hacker. Some of the servers we have seen it connect to are:Note: some of the above servers may not be malicious. There is also a chance the malware will generate pseudo-random '.com' and '.ru' domains such as the following:
- antiviral-tstlist.biz
- avcheck.biz
- avcheck.ru
- barclays.com
- cashing.cc
- directconnection.ws
- ganzagroup.com
- ganzagroup.in
- gektar-promarenda.ru
- gronx-planets.ru
- kgbrelaxclub.ru
- kidos-bank.ru
- law-service2011.ru
- license-crewru.ru
- license-policy2012.ru
- lowlol-casting.ru
- ppshafromhugewar.ru
- samohodka-ww2.ru
- samohodka-ww3.ru
- skolkovo-bizrents2012.ru
- smellsliketervana.com
- verified.ru
- virtest.com
- www.avcheck.biz
- www.avcheck.ru
- www.avcheckx2011.ru
- www.cashing.cc
- www.directconnection.ws
- www.laurentianbank.ca
- www.virtest.com
- www1.hsbc.ca
- xverified.ru
decub-ydyg.ru gefa-bugin.com kegy-bikav.com pykyb-aquh.ru symi-betop.com vypeb-yxav.ru zuqib-ubyc.ru cusa-bifik.com fuvub-ohap.ru jixab-ekew.ru lizyb-ypud.ru pibob-urok.ru ridyb-ivar.ru vofib-oxyx.ru zojeb-abif.ru bokib-efal.ru famab-yjes.ru hapub-uluz.ru
The random charactercan be €˜h', €˜t', €˜v', and €˜r', for example "rdecub-ydyg.ru", "vcusa-bifik.com" and "tjixab-ekew.ru". It can perform any of the following actions, based on the commands of the remote hacker: It also sends information about your PC every time it connects to the remote server:
- Disable antivirus protection
- Collect and upload user credentials
- Stop the malware process
- Download malware components
- OS version information
- Windows Product ID
- Locale
- Volume serial number of drive C
Redirects website access
Win32/Expiro installs a Firefox extension that redirects web access from certain sites to others. Some of the sites it is known to redirect to are:
- advokat-spb18.ru
- attorney-at-jew.ru
- bear-wagejhunt.ru
- cannabis-anabioz.org
- corporal-johnlan.com
- da-zdra-per-ma.com
- fairy-tailpigz.biz
- fedlaw-gosdep.ru
- fettucini-mushfood.biz
- fukushima-atom.ru
- ganzagroup.net
- gattling-firepower666.biz
- global-shariat2030.ru
- gosdep-mskcity.ru
- govt-comission2011.ru
- grilled-mushrooms.cc
- headshot-freelance.com
- hlop-v-lob.ru
- ijmash-gunschk.ru
- ivan-tarakanov1975.org
- japan-flowersx343.net
- jopa-s-ushami.biz
- kandagar-bank.in
- karavjan-pakistan.net
- kaspersky-antinod.biz
- kevlar-xguard.ru
- lasersquad1996.com
- lybia-bizovernet.biz
- maha-krishna-ashram.in
- million-megadoz.com
- mobbine.com
- moscow-nightware.com
- mossad-torg.ru
- msk-edros2011.ru
- nae-biznes.ru
- nsdap-party.org
- office-rents24.ru
- oil-sibtrans-gaz.ru
- pasha-mers600.ru
- podstava-bank.ru
- prabrahman-center.in
- rmobbine.com
- s350.in
- s500.in
- s600.in
- sanitar-lesa.ru
- save-galapagos-turtles.biz
- smellsliketervana.com
- tutmos-history.ru
- vahhao-byte.ru
- xray-lagometer.org
- zae-biznes.com
- zionist-govt3000.com
Lowers Internet Explorer security
Win32/Expiro modifies settings via the system registry that affect the Internet Explorer security settings: In subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"
Sets value: "2103"
With data: "0" Sets value: "1406" With data: "0" These settings allow unsecured content to be displayed in all zones and allow status bar updates via scripts.
Analysis by Rodel Finones Symptoms
System changes
The following could indicate that you have this threat on your PC:
- You have files with both .EXE and .IVR extensions, such as "calc.exe" and "calc.ivr"
- You have these files:
%LOCALAPPDATA%\kfz32.dll, for example, kf17z32.dll
%LOCALAPPDATA%\dflz32.dll, for example, dfl17z32.dll
%LOCALAPPDATA%%\wsrzt32.dll, for example, wsr17zt32.dll
%LOCALAPPDATA%\.nls, for example, dcbfifcc17.nls
%APPDATA%\p_ .dll, for example, p17_17.dll Last update 23 January 2014
