WeLiveSecurity’s anti-virus labs made a new discovery on the Win64/Expiro virus. These file-infecting viruses have been well known for years and studied extensively. The malicious code of this virus aimed to modify 32-bit files. The Expiro (Xpiro), has a body that is versatile because of it’s full cross-platform, able to infect 32-bit and 64-bit files.
Local, removable and network drives are what this virus aims to infect. Google Chrome and Mozilla Firefox browsers have malware install extensions for this dirty virus. Although, the malware is known to steal and store certificates and passwords from Internet Explorer, Microsoft Outlook, and from the FTP client FileZilla. These browser extensions redirect the user to malicious URLs. In doing so, it collects confidential information while users do online banking and use other private websites for personal use. The Win64/Expiro is an infectious virus that won’t stop! It disables services on the compromised computer like Windows Defender and Windows Security Center.
The InfectionDuring the infection process, the virus will upload the startup code which is inserted into files to be overwritten. At the end of this vicious process, the code virus adds a jump instruction that takes the code unpacked into the .vmp0 section. This virus is infecting executable files, passing them through directories regularly. The malicious code creates new files, then writes it to a special file in blocks of 64K. When the virus is blocked by the read/write access, it then works it’s way to changing the security descriptor of the file and information of the user.
If you have signed executable files, the virus will infect that as well. The infector process can be seen in the system by the large numbers of I/O operations and the volumes of read/written bytes. The virus needs to see all the files in the system, so this process can take some time.
As a bot, the malware can perform the following:
- change control server URLs;
- execute a shell command – passes it as param to cmd.exe and returns result to server;
- download and execute plugins from internet;
- download a file from internet and save it as %commonapddata%\%variable%.exe;
- implement a TCP flood DoS attack;
- enumerate files matching mask \b*.dll in the %commonappdata% folder, loading each one as a library, calling export «I» from it, and loading exports «B» and «C» from it;
- call plugin functions «B» and «C» from the loaded plugin;
- start proxy server (SOCKS, HTTP);
- set port forwarding for TCP on the local router (SOAP).
Please visit http://www.hyphenet.com/blog/ for more posts on the latest technology and IT security news.
Versatile and infectious: Win64/Expiro is a cross-platform file infector – WeLiveSecurity
July 30, 2013