Virus:W32/Expiro.Q
Date discovered:19/02/2010
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:No
File size:~200.000 Bytes
IVDF version:7.10.04.104 - Friday, February 19, 2010

 General Method of propagation:
   • Infects files


Aliases:
   •  Symantec: W32.Xpiro.B
   •  Kaspersky: Virus.Win32.Expiro.q

Similar detection:
   •  W32/Expiro.B
   •  W32/Expirio.A
   •  W32/Expiro.C


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops malicious files
   • Infects files
   • Lowers security settings
   • Registry modification
   • Steals information

 Files The following files are created:

– Non malicious files:
   • %home%\Local Settings\Application Data\%random character string%.dll
   • %home%\Application Data\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest
   • %home%\Application Data\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf

– A file that is for temporary use and it might be deleted afterwards:
   • %infected files%.ivr

%home%\Application Data\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar Further investigation pointed out that this file is malware, too.
%home%\Application Data\Mozilla\Firefox\Profiles\%eight-digit random character string%.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js Further investigation pointed out that this file is malware, too.

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The following sections are added to the infected file:
   • .data
   • .data

Damaging - The files may be improperly infected. This results in infected files that are broken and crash.


Stealth:
 No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.


Self Modification:

Encrypted - The virus code inside the infected file is encrypted.


Method:

This direct-action infector actively searches for files.


Infection length:

Approximately 200.000 Bytes


The following files are infected:

By exact path:
   • *.exe

Files in any of the following directories:
   • %all directories%

 Registry The following registry keys are changed:

Lower security settings from Internet Explorer:
– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000
   • "2103"=dword:00000000

Lower security settings from Internet Explorer:
– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000
   • "2103"=dword:00000000

Lower security settings from Internet Explorer:
– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000
   • "2103"=dword:00000000

Lower security settings from Internet Explorer:
– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000
   • "2103"=dword:00000000

Lower security settings from Internet Explorer:
– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000
   • "2103"=dword:00000000

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • Firefox
   • Filezilla
   • INETCOMM Server

 Miscellaneous Mutex:
It creates the following Mutex:
   • kkq-vx_mtx%number%

Description inserted by Daniel Constantin on Monday, March 1, 2010
Description updated by Daniel Constantin on Thursday, March 4, 2010

Back . . . .