Overview
Type: Virus
Destruction Level: High
Prevalence: Low
Malware name(s)
- Virus.Win32.Expiro
What is a virus?
In technical terms, a computer virus such as Expiro is a type of malware that cannot replicate itself automatically. Viruses can infect all accessible executable files in the computer system, which usually have .exe and .dll extensions. Viruses look for non-infected (host) files during execution and to replicate, they need to insert their own codes among the host file’s codes. Then, once the infected file is executed, the malicious code will be executed too.
Technical Review
The malware communicates with its malicious servers and sends them information about its version and the victim’s computer system specs.
The purpose of this communication is sending information about the current version of the malware, the victim’s computer system specs and, if possible, receiving files from the malicious server.
This information is encrypted before sending.
Indicators of Compromise (IoC)
· Existence of a data file, named “%AppData%” in the following path:
“%AppData%\Roaming\%s.bin”
· Sending information to numerous domains using POST method.
Some spotted domains are:
pywolwnvd.biz
ssbzmoy.biz
cvgrf.biz
npukfztj.biz
przvgke.biz
knjghuig.biz
fwiwk.biz
tbjrpv.biz
deoci.biz
qaynky.biz
bumxkqgxu.biz
dwrqljrr.biz
ytctnunms.biz
oshhkdluh.biz
jpskm.biz
jhvzpcfg.biz
Performance Description
In the case that the services of the victim’s system, do not contain the following phrases, The Expiro virus infects the files corresponding to those services.
windefend, TrustedInstaller, UIodetect
In addition to system services, it infects files with the extensions “exe.” and “scr”.
The Virus behavior to infect system files is different
in the “resurface” and “old” variants, and is as follows:
Older variant: Older variants of the Expiro virus remove part of the EP contents of
the clean file and place it at the end of the last section.
Then it replaces its infected contents with the EP contents of the clean file and inserts its coded contents at the end of the file, after the EP information inserted from the clean file.
It creates a .tmp file and write all this modified information inside it.
The new variant: In the new variant of the Expiro virus, it writes its coded contents at the end of the last section of the clean file and then changes some attributes of the file in the “PE Header”, including “SizeofRawData”, “Checksum”, etc.
This virus also rewrites a “call” command in the clean file to execute its malicious codes when the infected file is executed. It does this in a way that instead of executing the clean function, it leads to the execution of the virus in the victim’s computer system.
How to deal with and clean the system?
By employing UMP technology as a part of its behavior-based protection, Padvish prevents the system from becoming infected through portable drives.
So, by installing Padvish anti-malware prevent malware infections (such as Expiro)
and make sure your device is not infected by them.