Virus.Win64.EXPIRO.AA

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any backdoor routine.

It steals certain information from the system and/or the user.

Arrival Details

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Virus drops the following files:

• %AppDataLocal%\{random characters }\cmd.exe -> infected copy of legitimate %System%\cmd.exe
• {infected directory path}\{random characters}.tmp -> initial infected file, later replaces the host executable file contents and then deleted.
• %ProgramData%\{random characters }.dat
• %ProgramData%\{random characters }.nls

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Local\{random}

Other System Modifications

This Virus adds the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Explorer\
User Shell Folders
Startup = %AppDataLocal%\{random characters}

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders
Startup = %AppDataLocal%\{random characters}

File Infection

This Virus infects the following file types:

• .EXE

It avoids infecting files that contain the following strings in their names:

• rsvp.exe
• chrome.exe
• rundll32.exe
• consent.exe
• sppsvc.exe
• WerFault.exe

Backdoor Routine

This Virus does not have any backdoor routine.

Rootkit Capabilities

This Virus does not have rootkit capabilities.

Process Termination

This Virus terminates the following services if found on the affected system:

• wscsvc
• WinDefend
• MsMpSvc
• NisSrv
• gupdate
• gupdatem
• wuauserv

Information Theft

This Virus steals the following information:

• OS Information
• Drive Information
• System Locale Language
• Processor Name and Description
• Baseboard SKU and Model
• DiskDrive Model and Size
• Computer System Product Information

Stolen Information

This Virus sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}bykovfoqys.ws
• http://{BLOCKED}jixxu-pafkel
• http://{BLOCKED}ezed-picriv.ws
• http://{BLOCKED}ilixif.ws
• http://{BLOCKED}lraf-uxek.com
• http://{BLOCKED}humydoc.in
• http://{BLOCKED}amytavyx.ws
• http://{BLOCKED}fytipi.biz
• http://{BLOCKED}ovoxijyr.com
• http://{BLOCKED}kda-miw.biz
• http://{BLOCKED}sicpu.ru
• http://{BLOCKED}u-ozyh.in
• http://{BLOCKED}ade-ry.org
• http://{BLOCKED}ejudkyl.cc
• http://{BLOCKED}ahokadyp.in
• http://{BLOCKED}vy-aqaziq.org
• http://{BLOCKED}mehiqsixa.biz
• http://{BLOCKED}ovakyv.biz
• http://{BLOCKED}fxyzeca.biz
• http://{BLOCKED}wanysa.biz
• http://{BLOCKED}omo-beljum.ws
• http://{BLOCKED}hode.cc
• http://{BLOCKED}junedelqa.cc
• http://{BLOCKED}epma-jeh.com
• http://{BLOCKED}rifithal.in
• http://{BLOCKED}-boqmy.biz
• http://{BLOCKED}fabqajci.ru
• http://{BLOCKED}wetexdy.cc
• http://{BLOCKED}ery-ro.ru
• http://{BLOCKED}zumiwahod.com
• http://{BLOCKED}ykkodyky.ws
• http://{BLOCKED}hojavaze.com
• http://{BLOCKED}uvaponi.in
• http://{BLOCKED}acutebo.ws
• http://{BLOCKED}iwitucy.net
• http://{BLOCKED}ixjyfy.com
• http://{BLOCKED}ca-uci.ru
• http://{BLOCKED}ulivafe.com
• http://{BLOCKED}sobbe.ws
• http://{BLOCKED}ubucsasaw.biz
• http://{BLOCKED}b-efal.ru
• http://{BLOCKED}-bifik.com
• http://{BLOCKED}b-yjes.ru
• http://{BLOCKED}b-ohap.ru
• http://{BLOCKED}b-uluz.ru
• http://{BLOCKED}b-ekew.ru
• http://{BLOCKED}-copog.com
• http://{BLOCKED}b-ypud.ru
• http://{BLOCKED}b-urok.ru
• http://{BLOCKED}b-aquh.ru
• http://{BLOCKED}b-ivar.ru
• http://{BLOCKED}-betop.com
• http://{BLOCKED}b-oxyx.ru
• http://{BLOCKED}b-yxav.ru
• http://{BLOCKED}b-abif.ru
• http://{BLOCKED}b-ubyc.ru
• http://{BLOCKED}by-ezu.ru
• http://{BLOCKED}vvy-sihpy.ws
• http://{BLOCKED}ubiwezu.com
• http://{BLOCKED}a-xojfu.biz
• http://{BLOCKED}i-izy.org
• http://{BLOCKED}pi-ziboj.in
• http://{BLOCKED}olonkub.ru
• http://{BLOCKED}ylvos-hyqe.ws
• http://{BLOCKED}nixly-muro.cc
• http://{BLOCKED}usdi-ihyq.in
• http://{BLOCKED}ybavyxo.org
• http://{BLOCKED}odkitywuli.ws
• http://{BLOCKED}ewvupazah.ws
• http://{BLOCKED}owvusxuwlu.ws
• http://{BLOCKED}oqi-co.in
• http://{BLOCKED}a-ahusdyb.net
• http://{BLOCKED}beqfu-son.biz
• http://{BLOCKED}hynxavdu.net
• http://{BLOCKED}xjedkiciten.biz
• http://{BLOCKED}woxiqaf.ru
• http://{BLOCKED}ibliki.ru

Other Details

This Virus does the following:

• This infector infects the target files of shortcut files located in the following location(s):
  • %Programs%
  • %Desktop%
• Since the infector infects Startup programs, it also serves as its auto-start mechanism.
• It also searches all available drives for .EXE files that it will infect. In this way, the drives shared through network and removable drives will be infected. This also serves as its propagation method.

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It does not exploit any vulnerability.