Virus Profile: W32/Expiro.gen.n

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Medium | Corporate Medium
Date Discovered: 8/13/2012
Date Added: 8/13/2012
Origin: N/A
Length: varies
Type: Virus
Subtype: Win32
DAT Required: 6590
Removal Instructions
   
 
 
   

Description

The W32/Expiro family of malware is a virus that parasitically infects executables by appending its viral code to the host. It could also download other malwares and steal system information.

Aliases

  • Kaspersky - Virus.Win32.Expiro.w
  • NOD32 - Win32/Expiro.NAF virus
  • Norman - W32/Expiro_gen.A
  • Symantec - W32.Xpiro.D 

Indication of Infection

Presence of above mentioned files and registry activities.

Presence of above mentioned Network connections.

Methods of Infection

W32/Expiro searches for executables to infect in all drives including mounted shared directories and portable drives. Infected executables may then infect others if used on other systems. 
   

Virus Characteristics

----------------------------------------Updated on 13 Feb 2013------------------------------------------------------

Aliases

Microsoft    -    Virus:Win32/Expiro.BC
Symantec    -    W32.Xpiro.D
Kaspersky    -    Virus.Win32.Expiro.ao
Drweb        -    Win32.Expiro.47    

W32/Expiro.gen.n family of malware is a virus that infects executables by appending its viral code to the host. It may also infect executables in all the system and mapped drives.

W32/Expiro.gen.n creates firewall rule in order to bypass normal authentication.

W32/Expiro.gen.n infects the exe files by injecting a malicious code, and it may create a copy of the infected file in the format filename.vir. It may steal the system information and send to the remote attacker. 

It logs the stolen credentials in the following non-malicious file:

  • %AllUsersProfile%\Application Data\fcdjedce27.nls
  • %UserProfile%\Local Settings\Application Data\wsr27zt32.dll

It infects by adding a new section and appending its viral code to the host. Current variants add one section with a name "vmp0". Section size added is around 0x28000 bytes.

An infected executable’s section data looks like this:



To execute the viral code upon execution, it replaces a block of code from the entry point of the host file. Replaced code data is moved to the new section as shown below.


Symptoms of an infected file:

  • File size increase by more than 186 Kb
  • Change of file timestamp
  • PE file last section name is vmp0


The virus uses the following pipe in order to execute attacker commands remotely:

rundll32.exe newdev.dll,ClientSideInstall \\.\pipe\PNP_Device_Install_Pipe_0.{GUID}

While running, a mutex is created to ensure only one instance of the Virus is running at a time. The Mutex name is:

  • kkq-vx_mtx1
  • kkq-vx_mtx27
  • gazavat-svc_27
  • gazavat-svc

The following are the URL and IP Address it tries to connect through remote port 80[HTTP] to download the other malicious files as well as it may send the collected information to the remote attacker.

  • levene[Removed]u.net
  • 204.13. [Removed].116
  • lafyw[Removed]bym.ru
  • 116.162. [Removed].204
  • hyqyl[Removed]arza.ru
  • ndecu[Removed]dyg.ru
  • bij[Removed]hus-bac.cc
  • iqaz[Removed]u-nu.biz
  • pofyz[Removed]t.net
  • rovym[Removed]m.com
  • ngef[Removed]gin.com
  • jijac[Removed]fo.cc
  • nkegy[Removed]av.com
  • idew[Removed]u-cetdol.ws
  • 64.70. [Removed].198
  • pyrynaq[Removed]v.org
  • lukocah[Removed]mo.biz
  • nmyjo-[Removed]b.com
  • qenako[Removed]q.com
  • 85.25. [Removed].224
  • 224.108. [Removed].85
  • 250.255. [Removed].239

Upon execution, it create files in the below location

  • %UserProfile%\Local Settings\Application Data\wsr27zt32.dll
  • %AllUsersProfile%\Application Data\fcdjedce27.nls
  • %WINDIR%\system32\[Infected filename].vir

The above are the files created by a virus; it is a copy of the infected file in the extension .vir

The following registry keys have been added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xml\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xsl\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Enum

The following registry key values have been added to the system

 

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%ProgramFiles%\JavaSoft\JRE\1.3\bin\tnameserv.exe: "%ProgramFiles%\JavaSoft\JRE\1.3\bin\tnameserv.exe:*:Enabled:tnameserv"

The above registry key value confirms that the virus creates a firewall for the source file inorder to bypass the normal authentication.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Control\
    • *NewlyCreated*: 0x00000000
    • ActiveService: "CiSvc"
    • Service: "CiSvc"
    • Legacy: 0x00000001
    • ConfigFlags: 0x00000000
    • Class: "LegacyDriver"
    • ClassGUID: "{GUID}"
    • DeviceDesc: "Indexing Service"
    • NextInstance: 0x00000001

The following registry keys Values has been modified to the System

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet Mail Message\: "Outlook Express Mail Message"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet Mail Message\: "Internet E-Mail Message"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet News Message\: "Outlook Express News Message"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet News Message\: "Internet News Message"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000012
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000014
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]\Type: 0x00000110

The above registry entry ensures that the virus infects all the system services and it starts automatically, it starts the services whenever the system restarts.

  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000001
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000001
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000001
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000003
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000001
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000003
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000001
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2103: 0x00000003
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2103: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000003
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000001
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000000
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2103: 0x00000003
  • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2103: 0x00000000

The above registry key values confirms that the virus lowers the IE security settings

The following are the information collected from the infected machine and send it to the remote attacker through remote port http

  • GetLocaleInfoA
  • GetSystemInfo
  • gethostbyname
  • GetUserNameA
  • GetComputerNameA
  • GetVolumeInformationA

Captured POST request:

POST greatsouthoffshore.com HTTP/1.1
User-Agent: Mozilla/4.1 (compatible; MSIE 20; NT5.1.2600-A4A955BE.ENU.3E163F58-83C788-C11CE0-1438147D)

--------------------------------------------------------------------------------------------------------------------------------------

W32/Expiro.gen.n family of malware is a virus that parasitically infects executables by appending its viral code to the host.

W32/Expiro.gen.n infects the exe files by injecting a malicious code, and it creates a copy of the infected file in the format filename.vir. It may steal the system information and send to the remote attacker.

W32/Expiro searches for and infects all PE executables in the system except for those that have the following characteristics.

  • With data overlay
  • Not enough space in header for additional section data
  • Already infected file
  • DLL and driver files

It infects by adding a new section and appending its viral code to the host. Current variants add one section with a name "PACK". Section size added is around 0x28000 bytes.

An infected executable’s section data looks like this:

To execute its own code upon execution. It replaces a block of code from the entry point of the host file. Replaced code data is moved to the new section as shown below.

Symptoms of an infected file:

  • File size increase by more than 140 Kb
  • Change of file timestamp
  • PE file last section name is PACK

While running, a mutex is created to ensure only one instance of the Virus is running at a time. The Mutex name is:

  • gazavat-svc{random number}
  • gazavat-svc

Encrypted Malware Code:

 Note: In this case the encryption Xor Key is 0x5D. It will change from file to file.

This virus could collect the following sensitive information:

  • Installed certificates
  • Credentials stored by FileZilla
  • Credentials stored by Windows Protected Storage
  • Passwords stored by Internet Explorer, within the following registry entry:
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

It logs the stolen credentials in the following non-malicious file:

  •  %UserProfile%\Local Settings\Application Data\wsr{random 2 digit number}zt32.dll

It also installs a Firefox extension by adding the following files in the Firefox extension directory:

  • {ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js
  • {ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf
  • {ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar
  • {ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest

This extension could redirect the compromised user to the following domains:

  •  stopbadware.org
  •  gektar-promarenda.ru
  •  cashing.cc
  •  hdecub-ydyg.ry
  •  directconnection.ws
  •  mediaportal-2016.ru
  •  kamlashop-ultras.org
  •  theplan-from-iran.net
  •  erussia-govsvc.ru
  •  ijmash-gunszavod.ru
  •  egypt-bizneonet.biz
  •  hlop-v-job.ru
  •  pasha-mers50.ru
  •  entry-retails555.biz

Upon execution it tries to connect the below URL and IP Address through remote port 53

  • 220.225. [Removed].85
  • zavrchcks[Removed]z.ru
  • pdecub-[Removed].ru
  • pgefa-[Removed].com
  • zerrbl[Removed]gz.cc
  • indirs-[Removed].ws
  • pkegy-[Removed].com
  • pmyjo-[Removed].com
  • ppykyb-[Removed].ru
  • insecto-[Removed].ru
  • psymi-[Removed].com
  • kgbr[Removed]z.ru
  • pvypeb-[Removed].ru
  • pvypeb-[Removed].ru
  • 64.70. [Removed].33
  • 202.54. [Removed].60
  • 202.54. [Removed].5

The following are the URL and IP Address it tries to connect through remote port 137[NetBIOS]

  • pgefa-[Removed].com
  • pkegy-[Removed].com

The following are the URL and IP Address it tries to connect through remote port 80[HTTP]

  • 64.70. [Removed].33
  • indirs-[Removed].ws
  • 109.236. [Removed].70    
  • international-[Removed].ru
  • greatsouthoffshore.com
  • angar-promarenda.ru
  • kasperskygayformula.biz
  • microavrc-usb33bit.com
  • leninheadshop.ru
  • fdecub-ydyg.ru
  • fgefa-bugin.com
  • fkegy-bikav.com
  • indirs-vostok.ws
  • fmyjo-boneb.com

Upon execution, it creates files in the below location

  • %AllUsersProfile%\Application Data\acbdfbig25.nls
  • %WINDIR%\system32\[Infected filename].vir

The above are the files created by a virus, it is a copy of the infected file in the extension .vir

The following registry keys are added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC

The following registry key values has been added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hta\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Control\
    • *NewlyCreated*: 0x00000000
    • ActiveService: "CiSvc"
    • Service: "CiSvc"
    • Legacy: 0x00000001
    • ConfigFlags: 0x00000000
    • Class: "LegacyDriver"
    • ClassGUID: "{GUID}"
    • DeviceDesc: "Indexing Service"
    • NextInstance: 0x00000001

The following registry key values has been modified to the system

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000012
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000014
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Start: 0x00000002

The above registry entry ensures that the virus infects all the system services and it starts automatically whenever the system restarts.

The following are the information collected from the infected machine and sends it to the remote attacker through remote port http

  • GetLocaleInfoA
  • GetSystemInfo
  • gethostbyname
  • GetUserNameA
  • GetComputerNameA
  • GetVolumeInformationA
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95