Win32/Expiro [Threat Name] go to Threat

Win32/Expiro.T [Threat Variant Name]

Category virus
Size 110832 B
Detection created Apr 13, 2011
Detection database version 6039
Aliases Virus.Win32.Expiro.w (Kaspersky)
  W32/Expiro.gen.h.virus (McAfee)
  Virus:Win32/Expiro.R (Microsoft)
Short description

Win32/Expiro.T is a polymorphic file infector.

Installation

The virus does not create any copies of itself.


The virus creates the following files:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­extensions\­{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\­chrome\­content.jar (8234 B)
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­extensions\­{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\­chrome.manifest (307 B)
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­extensions\­{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\­components\­red.js (JS/Redirector.NBI, 4152 B)
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­extensions\­{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\­install.rdf (881 B)

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0

The virus can delete cookies.

File infection

Win32/Expiro.T is a polymorphic file infector.


The virus searches fixed drives for executable files to infect.


It also infects files stored on removable and network drives.


The virus searches for executables with one of the following extensions:

  • .exe

Files are infected by adding a new section that contains the virus .


The size of the inserted code is 110832 B .


The host file is modified in a way that causes the virus to be executed prior to running the original code.

Information stealing

Win32/Expiro.T is a virus that steals passwords and other sensitive information.


The following information is collected:

  • digital certificates
  • login passwords for certain applications/services
  • login user names for certain applications/services
  • FTP account information
  • Outlook Express account data
  • operating system version
  • volume serial number
  • information about the operating system and system settings
  • a list of recently visited URLs

The virus collects information used to access certain sites.


The programs affected include the following:

  • FileZilla
  • Internet Explorer
  • Microsoft Outlook

The virus attempts to send gathered information to a remote machine.

Other information

The virus acquires data and commands from a remote computer or the Internet.


The virus contains a list of (32) URLs. The virus generates various URL addresses. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • modify network traffic
  • monitor network traffic

The virus affects the behavior of the following applications:

  • Internet Explorer

Please enable Javascript to ensure correct displaying of this content and refresh this page.