Home / malware

PDF

Virus:Win32/Expiro.BA

First posted on 14 March 2013.
Source: Microsoft

Aliases :

Virus:Win32/Expiro.BA is also known as W32/Expiro_gen.PG (Norman), Virus found Win32/Expiro (AVG), Virus.Win32.Expiro (Ikarus), W32/Expiro.gen.o (McAfee), Win32.Expiro.U (Rising AV), W32/Expiro-H (Sophos), W32.Xpiro.D (Symantec).

Explanation :

Spreads via...

File infection

Virus:Win32/Expiro.BA spreads by infecting all EXE files found in drives C to Z. It infects files by appending code to target files. It creates a temporary copy of the infected file using the same file name but with the extension VIR; for example, if this virus infects the file "notepad.exe", then it might create an infected copy as "notepad.vir", which it eventually renames back to "notepad.exe".

It disables Windows File Protection to infect protected files. It also enumerates the services that are running in your computer, and infects their executables.



Payload

Disables security software

Virus:Win32/Expiro.BA might try to close the following services and programs:

• Wscsvc - Windows Security Center service
• WinDefend - Windows Defender service
• NisSrv - Network Inspection service
• MsMpSvc - Microsoft Protection service
• MSASCui - Windows Defender program
• MsSecEs.exe - Microsoft Security Essentials program
• TCPView - Network Traffic Viewer by Sysinternals

It might also uninstall the antivirus software located in the "%ProgramFiles%\Microsoft Security Client" folder.

Steals sensitive information

Virus:Win32/Expiro.BA collects the following sensitive information:

• Installed certificates
• Passwords stored by FileZilla
• Credentials stored by Windows Protected Storage
• Credentials entered by users in different windows, for example, in Internet Explorer
• All autocomplete entries stored by Internet Explorer within HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

The stolen data may be logged in "%AppData%\p<number>_<number>.dll".

Allows backdoor access and control

Virus:Win32/Expiro.BA may connect to the following servers to allow a remote attacker access to your computer:

• ebvtracking.cc
• febvtracking.cc
• grewz-platker.ru
• www1.hsbc.ca
• indirs-kemono.ws
• insecto-fiestar.ru
• kgbrelaxxlub.ru
• kidos-bank.ru
• kpz-coffestores.cc
• law-service2011.ru
• license-crewru.ru
• microavrc-com32bt.com
• navitelgeodbs.ru
• samohodka-ww2.ru
• verified.ru

Virus:Win32/Expiro.BA can do the following:

• Upload the collected information
• Stop the malware process
• Download and run other malware

Redirects website access

Virus:Win32/Expiro.BA can install Firefox and Google Chrome extensions, which redirect access from certain sites to the following servers:

• gattling-firepower666.biz
• global-shariat2030.ru
• hlop-v-lob.ru
• ivan-tarakanov1975.org
• japan-flowersx343.net
• jopa-s-ushami.biz
• law-service2011.ru
• oil-sibtrans-gaz.ru
• sanitar-lesa.ru
• zionist-govt3000.com

Lowers Internet Explorer security

Virus:Win32/Expiro.BA changes certain security settings for Internet Explorer, allowing unauthorized content to run across all security zones, by making the following registry changes:

In subkeys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Allows content of mixed security to display across all zones
Sets value: "1609"
With data: "0"
Allows status bar updates via scripts
Sets value: "2103"
With data: "0"
Accesses data sources across domains
Sets value: "1406"
With data: "0"

Additional information

Virus:Win32/Expiro.BA uses the following mutex names to make sure that a single active copy of itself is running at any time.

• kkq-vx_mtx<incremental number>
• gazavat-svc
• gazavat-svc_<number>

Analysis by Mihai Calota

Last update 14 March 2013

 

TOP