Home / malware W64.Xpiro.F
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for W64.Xpiro.F.
Explanation :
When the threat executes, it creates the following file:
%UserProfile%\Local Settings\Application Data\wsr[TWO DIGIT NUMBER]zt32.dll
It also creates the following mutexes to ensure that only one instance of the threat is running on the computer:
kkq-vx_mtx[ONE OR TWO DIGIT NUMBER]gazavat-svc
gazavat-svc_[ONE OR TWO DIGIT NUMBER]
Next, the threat creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"1609" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"2103" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\"1406" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"1609" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"2103" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"1406" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"1609" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"2103" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"1406" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1609" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2103" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1406" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1609" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"2103" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"1406" = "0"
The threat infects all .exe files (32-bit and 64-bit) on the compromised computer and also on mapped or removable drives (C to Z).
The threat may install Firefox or Chrome extensions and perform the following actions:
Monitor browser activityRedirect users to malicious URLs
The threat may steal the following information from the compromised computer:
LanguageProduct IDsSystem volume informationWindows system informationEmail addressesPasswordsOnline banking information, including account numbers
The threat may connect to the following remote locations:
angar-promarenda.ruangar-promarenda.ruantiviral-testlist.bizbobamajopa2018.orgcelestron-oriental.rucherep-na-rukave.orgegypt-bizneonet.bizentry-retails555.bizerussia-govsvc.rufethardabiozdoviplat.comfethardanabiozdoviplat.comgreattsouthoffshore.comgrewz-platker.ruhighlow-casting.ruhlop-v-job.ruijmash-gunszavod.ruindirs-vostok.wskamlashop-ultras.orgkasperskygay-formula.inkgbrelaxxlub.rukidos-bank.ruleninheadshop.rulicense-policy2011.rumediaportal-2016.rumerysheep.chlice.qee.jp/redirectormicroavrc-usb33bit.commkz-coffestores.ccpasha-mers50.rusamohodka-ww2.rushut-up-beavis.rusilcroadseevers.nettheplan-from-iran.nettremossur.ruverified.ruvisualillusionist.comvisualillusionist.netwww.indirs-vostok.wswww.kasperskygay-formula.inwww.microavrc-usb33bit.comwww1.hsbc.ca
Note: The threat virus uses a domain name generator algorithm to compute new command-and-control servers.Last update 21 February 2014
