Win32/Expiro [Threat Name] go to Threat

Win32/Expiro.CG [Threat Variant Name]

Category virus
Detection created Nov 26, 2014
Detection database version 10786
Aliases Virus.Win32.Expiro.nt (Kaspersky)
  Virus:Win32/Expiro.DS (Microsoft)
Short description

Win32/Expiro.CG is a polymorphic file infector.

Installation

The virus creates the following files:

  • %userprofile%\­Local Settings\­Application Data\­wsr%variable%zt32.dll
  • %commonappdata%\­%variable%36.nls

A string with variable content is used instead of %variable% .


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center\­Svc\­%variable%]
    • "EnableNotifications" = 0

A string with variable content is used instead of %variable% .

File infection

Win32/Expiro.CG is a polymorphic file infector.


The virus searches local drives for executable files to infect.


The virus searches for executables with one of the following extensions:

  • .exe (PE32, PE64)
  • .scr (PE32, PE64)

Executables are infected by appending the code of the virus to the last section.


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is variable.

Information stealing

Win32/Expiro.CG is a virus that steals passwords and other sensitive information.


The following information is collected:

  • digital certificates
  • login passwords for certain applications/services
  • login user names for certain applications/services
  • Outlook Express account data
  • FTP account information
  • volume serial number
  • information about the operating system and system settings
  • a list of recently visited URLs

The virus may affect the behavior of the following applications:

  • Mozilla Firefox
  • Google Chrome

The virus collects information used to access certain sites.


The virus attempts to send gathered information to a remote machine.

Other information

The virus acquires data and commands from a remote computer or the Internet.


The virus contains a list of (60) URLs. The virus generates various URL addresses. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • modify network traffic
  • modify the content of websites
  • redirect network traffic
  • monitor network traffic
  • set up a proxy server
  • perform DoS/DDoS attacks

The following services are disabled:

  • wscsvc
  • WinDefend
  • MsMpSvc
  • NisSrv
  • gupdate
  • gupdatem
  • wuauserv

The following programs are terminated:

  • MSASCui.exe
  • msseces.exe
  • mseinstall.exe
  • Tcpview.exe
  • cav_installer.exe
  • cfw_installer.exe
  • cispremium_installer.exe
  • PandaCloudAntivirus.exe
  • 60Second.exe
  • Antivirus_Free_Edition.exe
  • OnlineArmorSetup.exe
  • McAfeeSetup.exe
  • Vba32.NT.T.exe
  • Vba32.P.exe
  • Vba32.S.exe
  • Vba32.Vista.exe
  • Vba32.W.exe
  • Vba32Check.exe
  • Vba32RCSInstal
  • Tuner.exe
  • avgmfapx.exe
  • avg_remover_expiro.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.