Virus.Win32.Expiro.nab

by alexander.adamov on May 7th, 2012 in Malware Descriptions.

Detect: Virus.Win32.Expiro.nab
Platform: Win32
Type:  Virus
Size:
298496 bytes
Language: C++
md5: FF3945214D3CDB38E853749F188630F2
sha1: C22F7716EB50BD5B1284DC11A8DFFA73E1DE50CD

Summary

It is a malware which infects files on the user’s

Technical Details

File Infection

The virus infects executable files on all local, network and portable drives available to write. Firstly, the virus infects files to which found shortcuts (LNK-files) are referred, as well as executable files of the system services. First of all, the following catalogs are scanned for files:

%USERPROFILE%\Desktop

%USERPROFILE%\Start Menu\Programs

Content of the infected file is copied with a .vir extension to the file with the same name. This file is saved to the parent folder of the infected file. The virus then adds a section with the "PACK" name to the end of the vir-file. This section contains a virus body. The code of corresponding file entry point address is modified to allow a virus body to control it. The infected file is then removed. The .vir extension is changed to .exe. If executable files of the system services are infected, the virus declines running the service automatically. The file infection and the service run occur on the next system boot. To infect protected files, the virus disables Windows File Protection (WFP).

Payload

A separate thread is created in the virus body to carry out the actions described below.

To control the uniqueness of its process in the system, the malware creates unique identifiers with the following names:

kkq-vx_mtx<rnd>

gazavat-svc

gazavat-svc_<rnd>

where <rnd> – random decimal numbers.

The malware changes settings for the security zones in Internet Explorer. For the purpose, it modifies the following registry keys:

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1609" = "0"
"2103" = "0"
"1406"= "0"

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1609" = "0"
"2103" = "0"
"1406"= "0"

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1609" = "0"
"2103" = "0"
"1406"= "0"

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1609" = "0"
"2103" = "0"
"1406"= "0"

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1609" = "0"
"2103" = "0"
"1406"= "0"

Notifications are disabled. Data access requirements are changed for visiting web nodes. Status bar update in scripts is allowed.

The virus steals the following confidential user information on the infected PC:

  • Information about certificates in the user’s computer certificate store.
  • User’s data stored in the Windows Protected Storage.
  • User account credentials from the FileZilla application. The following file is analyzed:

%APPDATA%\FileZilla\sitemanager.xml

  • Passwords saved in Internet Explorer. The following registry key is analyzed:

[HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2]

  • In addition, the malware tracks passwords a user enters within different windows to steal them.

Collected information is encrypted and stored as files:

%APPDATA%\wsr <rnd>zt32.dll

%APPDATA%\kf<rnd>z32.dll

%APPDATA%\dfl<rnd>z32.dll

%APPDATA%\p <rnd>_<rnd>.dll

where <rnd> – random decimal numbers.

To redirect a user to web-resources, the virus adds extensions to Mozilla Firefox. The following files are created:

%AppData%\Mozilla\Firefox\Profiles\<user profile catalog>\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest

%AppData%\Mozilla\Firefox\Profiles\< user profile catalog >\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar

%AppData%\Mozilla\Firefox\Profiles\< user profile catalog >\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js

%AppData%\Mozilla\Firefox\Profiles\< user profile catalog >\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf

A user is redirected to the following resources:

ganzagroup.net

gattling-firepower666.biz

save-galapagos-turtles.biz

smellsliketervana.com

xray-lagometer.org

zae-biznes.com

ivan-tarakanov1975.org

kevlar-xguard.ru

advokat-spb18.ru

attorney-at-jew.ru

cannabis-anabioz.org

da-zdra-per-ma.com

fettucini-mushfood.biz

mobbine.com

mossad-torg.ru

s350.in

sanitar-lesa.ru

zionist-govt3000.com

nae-biznes.ru

nsdap-party.org

office-rents24.ru

oil-sibtrans-gaz.ru

rmobbine.com

gosdep-mskcity.ru

govt-comission2011.ru

grilled-mushrooms.cc

headshot-freelance.com

hlop-v-lob.ru

lasersquad1996.com

maha-krishna-ashram.in

mellsliketervana.com

million-megadoz.com

japan-flowersx343.net

jopa-s-ushami.biz

kaspersky-antinod.biz

The malware performs a backdoor function. To get commands, it connects to one of the intruder servers:

ganzagroup.com

ganzagroup.in

gektar-promarenda.ru

samohodka-ww3.ru

skolkovo-bizrents2012.ru

smellsliketervana.com

verified.ru

virtest.com

xverified.ru

license-policy2012.ru

lowlol-casting.ru

gronx-planets.ru

hsbc.ca

kgbrelaxclub.ru

kidos-bank.ru

samohodka-ww2.ru

avcheckx2011.ru

barclays.com

cashing.cc

directconnection.ws

laurentianbank.ca

law-service2011.ru

license-crewru.ru

The malware can automatically generate a name for an intruder server. For example:

hfuvub-ohap.ru

vjixab-ekew.ru

rsymi-betop.com

tlizyb-ypud.ru

rpibob-urok.ru

The following information about the infected system is sent to an intruder server:

  • hard drive serial;
  • system locale value;
  • OS version;
  • Windows Product ID.

To complete an intruder server command, the malware can perform the following actions on the infected computer:

  • update its components downloading them from the intruder server;
  • download files from the intruder server and launch them for execution.

Downloaded files can be stored in the Temporary Internet Files folder:

%Temporary Internet Files%

or in the following folder:

%APPDATA%

  • upload to the intruder server collected confidential information.

Removal Recommendations

If you have not used any antivirus program to protect your computer from viruses and it gets infected with this malicious program, follow the steps listed below to remove it:

  1. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
  2. Do not run executable files and do not reboot the computer until you run a full scan of your computer using the Antivirus program.
  3. Restore the infected files from the backup copies.
  4. Restore the registry key values modified by the malware in the following branches (How to Work with System Registry):
  5. [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

  6. Delete the original malware file (its file name and location depends on the way the malware originally penetrated a user’s computer).
  7. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).