W32/Expiro.gen.n | Virus Profile & Definition

Virus Profile information details
Risk Assessment:	Home Medium \| Corporate Medium
Date Discovered:	8/13/2012
Date Added:	8/13/2012
Origin:	N/A
Length:	varies
Type:	Virus
Subtype:	Win32
DAT Required:	6590
Removal Instructions

Description

The W32/Expiro family of malware is a virus that parasitically infects executables by appending its viral code to the host. It could also download other malwares and steal system information.

Aliases

Kaspersky - Virus.Win32.Expiro.w
NOD32 - Win32/Expiro.NAF virus
Norman - W32/Expiro_gen.A
Symantec - W32.Xpiro.D

Indication of Infection

Presence of above mentioned files and registry activities.

Presence of above mentioned Network connections.

Methods of Infection

W32/Expiro searches for executables to infect in all drives including mounted shared directories and portable drives. Infected executables may then infect others if used on other systems.

Back to Top

View Virus Characteristics

Virus Characteristics

----------------------------------------Updated on 13 Feb 2013------------------------------------------------------

Aliases

Microsoft    -    Virus:Win32/Expiro.BC
Symantec    -    W32.Xpiro.D
Kaspersky    -    Virus.Win32.Expiro.ao
Drweb        -    Win32.Expiro.47

W32/Expiro.gen.n family of malware is a virus that infects executables by appending its viral code to the host. It may also infect executables in all the system and mapped drives.

W32/Expiro.gen.n creates firewall rule in order to bypass normal authentication.

W32/Expiro.gen.n infects the exe files by injecting a malicious code, and it may create a copy of the infected file in the format filename.vir. It may steal the system information and send to the remote attacker.

It logs the stolen credentials in the following non-malicious file:

%AllUsersProfile%\Application Data\fcdjedce27.nls
%UserProfile%\Local Settings\Application Data\wsr27zt32.dll

It infects by adding a new section and appending its viral code to the host. Current variants add one section with a name "vmp0". Section size added is around 0x28000 bytes.

An infected executable’s section data looks like this:

To execute the viral code upon execution, it replaces a block of code from the entry point of the host file. Replaced code data is moved to the new section as shown below.

Symptoms of an infected file:

File size increase by more than 186 Kb
Change of file timestamp
PE file last section name is vmp0

The virus uses the following pipe in order to execute attacker commands remotely:

rundll32.exe newdev.dll,ClientSideInstall \\.\pipe\PNP_Device_Install_Pipe_0.{GUID}

While running, a mutex is created to ensure only one instance of the Virus is running at a time. The Mutex name is:

kkq-vx_mtx1
kkq-vx_mtx27
gazavat-svc_27
gazavat-svc

The following are the URL and IP Address it tries to connect through remote port 80[HTTP] to download the other malicious files as well as it may send the collected information to the remote attacker.

levene[Removed]u.net
204.13. [Removed].116
lafyw[Removed]bym.ru
116.162. [Removed].204
hyqyl[Removed]arza.ru
ndecu[Removed]dyg.ru
bij[Removed]hus-bac.cc
iqaz[Removed]u-nu.biz
pofyz[Removed]t.net
rovym[Removed]m.com
ngef[Removed]gin.com
jijac[Removed]fo.cc
nkegy[Removed]av.com
idew[Removed]u-cetdol.ws
64.70. [Removed].198
pyrynaq[Removed]v.org
lukocah[Removed]mo.biz
nmyjo-[Removed]b.com
qenako[Removed]q.com
85.25. [Removed].224
224.108. [Removed].85
250.255. [Removed].239

Upon execution, it create files in the below location

%UserProfile%\Local Settings\Application Data\wsr27zt32.dll
%AllUsersProfile%\Application Data\fcdjedce27.nls
%WINDIR%\system32\[Infected filename].vir

The above are the files created by a virus; it is a copy of the infected file in the extension .vir

The following registry keys have been added to the system

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xml\PersistentHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xsl\PersistentHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Enum

The following registry key values have been added to the system

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%ProgramFiles%\JavaSoft\JRE\1.3\bin\tnameserv.exe: "%ProgramFiles%\JavaSoft\JRE\1.3\bin\tnameserv.exe:*:Enabled:tnameserv"

The above registry key value confirms that the virus creates a firewall for the source file inorder to bypass the normal authentication.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Control\
- *NewlyCreated*: 0x00000000
- ActiveService: "CiSvc"
- Service: "CiSvc"
- Legacy: 0x00000001
- ConfigFlags: 0x00000000
- Class: "LegacyDriver"
- ClassGUID: "{GUID}"
- DeviceDesc: "Indexing Service"
- NextInstance: 0x00000001

The following registry keys Values has been modified to the System

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet Mail Message\: "Outlook Express Mail Message"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet Mail Message\: "Internet E-Mail Message"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet News Message\: "Outlook Express News Message"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet News Message\: "Internet News Message"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000012
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000014
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]\Type: 0x00000110

The above registry entry ensures that the virus infects all the system services and it starts automatically, it starts the services whenever the system restarts.

HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000001
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000001
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000001
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000003
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000001
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000003
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000001
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2103: 0x00000003
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2103: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000003
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000001
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000000
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2103: 0x00000003
HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2103: 0x00000000

The above registry key values confirms that the virus lowers the IE security settings

The following are the information collected from the infected machine and send it to the remote attacker through remote port http

GetLocaleInfoA
GetSystemInfo
gethostbyname
GetUserNameA
GetComputerNameA
GetVolumeInformationA

Captured POST request:

POST greatsouthoffshore.com HTTP/1.1
User-Agent: Mozilla/4.1 (compatible; MSIE 20; NT5.1.2600-A4A955BE.ENU.3E163F58-83C788-C11CE0-1438147D)

--------------------------------------------------------------------------------------------------------------------------------------

W32/Expiro.gen.n family of malware is a virus that parasitically infects executables by appending its viral code to the host.

W32/Expiro.gen.n infects the exe files by injecting a malicious code, and it creates a copy of the infected file in the format filename.vir. It may steal the system information and send to the remote attacker.

W32/Expiro searches for and infects all PE executables in the system except for those that have the following characteristics.

With data overlay
Not enough space in header for additional section data
Already infected file
DLL and driver files

It infects by adding a new section and appending its viral code to the host. Current variants add one section with a name "PACK". Section size added is around 0x28000 bytes.

An infected executable’s section data looks like this:

To execute its own code upon execution. It replaces a block of code from the entry point of the host file. Replaced code data is moved to the new section as shown below.

Symptoms of an infected file:

File size increase by more than 140 Kb
Change of file timestamp
PE file last section name is PACK

While running, a mutex is created to ensure only one instance of the Virus is running at a time. The Mutex name is:

gazavat-svc{random number}
gazavat-svc

Encrypted Malware Code:

Note: In this case the encryption Xor Key is 0x5D. It will change from file to file.

This virus could collect the following sensitive information:

Installed certificates
Credentials stored by FileZilla
Credentials stored by Windows Protected Storage
Passwords stored by Internet Explorer, within the following registry entry:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

It logs the stolen credentials in the following non-malicious file:

%UserProfile%\Local Settings\Application Data\wsr{random 2 digit number}zt32.dll

It also installs a Firefox extension by adding the following files in the Firefox extension directory:

{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js
{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf
{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar
{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest

This extension could redirect the compromised user to the following domains:

stopbadware.org
gektar-promarenda.ru
cashing.cc
hdecub-ydyg.ry
directconnection.ws
mediaportal-2016.ru
kamlashop-ultras.org
theplan-from-iran.net
erussia-govsvc.ru
ijmash-gunszavod.ru
egypt-bizneonet.biz
hlop-v-job.ru
pasha-mers50.ru
entry-retails555.biz

Upon execution it tries to connect the below URL and IP Address through remote port 53

220.225. [Removed].85
zavrchcks[Removed]z.ru
pdecub-[Removed].ru
pgefa-[Removed].com
zerrbl[Removed]gz.cc
indirs-[Removed].ws
pkegy-[Removed].com
pmyjo-[Removed].com
ppykyb-[Removed].ru
insecto-[Removed].ru
psymi-[Removed].com
kgbr[Removed]z.ru
pvypeb-[Removed].ru
pvypeb-[Removed].ru
64.70. [Removed].33
202.54. [Removed].60
202.54. [Removed].5

The following are the URL and IP Address it tries to connect through remote port 137[NetBIOS]

pgefa-[Removed].com
pkegy-[Removed].com

The following are the URL and IP Address it tries to connect through remote port 80[HTTP]

64.70. [Removed].33
indirs-[Removed].ws
109.236. [Removed].70
international-[Removed].ru
greatsouthoffshore.com
angar-promarenda.ru
kasperskygayformula.biz
microavrc-usb33bit.com
leninheadshop.ru
fdecub-ydyg.ru
fgefa-bugin.com
fkegy-bikav.com
indirs-vostok.ws
fmyjo-boneb.com

Upon execution, it creates files in the below location

%AllUsersProfile%\Application Data\acbdfbig25.nls
%WINDIR%\system32\[Infected filename].vir

The above are the files created by a virus, it is a copy of the infected file in the extension .vir

The following registry keys are added to the system

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC

The following registry key values has been added to the system

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hta\PersistentHandler\: "{GUID}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Control\
- *NewlyCreated*: 0x00000000
- ActiveService: "CiSvc"
- Service: "CiSvc"
- Legacy: 0x00000001
- ConfigFlags: 0x00000000
- Class: "LegacyDriver"
- ClassGUID: "{GUID}"
- DeviceDesc: "Indexing Service"
- NextInstance: 0x00000001

The following registry key values has been modified to the system

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000012
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000014
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start: 0x00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Type: 0x00000120
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Type: 0x00000120
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Type: 0x00000120
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Start: 0x00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Type: 0x00000120
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Type: 0x00000010
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Start: 0x00000002

The above registry entry ensures that the virus infects all the system services and it starts automatically whenever the system restarts.

The following are the information collected from the infected machine and sends it to the remote attacker through remote port http

GetLocaleInfoA
GetSystemInfo
gethostbyname
GetUserNameA
GetComputerNameA
GetVolumeInformationA

Back to Top

Back To Overview View Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Back to Top

View Virus Characteristics

Virus Profile: W32/Expiro.gen.n

Description

Indication of Infection

Methods of Infection

Virus Characteristics

Virus Information

Indications of Infection:

PRODUCTS

VIRUS SECURITY

SUPPORT

SOCIALIZE WITH US ON

SIGN UP FOR SECURITY NEWS

WE ACCEPT THE FOLLOWING