Win64/Expiro [Threat Name] go to Threat

Win64/Expiro.B [Threat Variant Name]

Category virus
Size 512000 B
Detection created Jul 13, 2013
Detection database version 8560
Aliases Virus.Win64.Expiro.a (Kaspersky)
  W64/Expiro.virus (McAfee)
  Win32:Expiro-CF (Avast)
Short description

Win64/Expiro.B is a polymorphic file infector.

Installation

The virus does not create any copies of itself.


The virus creates the following files:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\­chrome.manifest (522 B)
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\­install.rdf (874 B)
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\­chrome\­content.jar (8701 B, JS/Agent.NJF)
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\­component\­red.js (4344 B)
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­dlddmedljhmbgdhapibnagaanenmajcm\­1.0_0\­manifest.json (321 B)
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­dlddmedljhmbgdhapibnagaanenmajcm\­1.0_0\­content.js (1464 B)
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­dlddmedljhmbgdhapibnagaanenmajcm\­1.0_0\­background.js (6927 B, JS/Agent.NJR)

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1406" = 0
    • "2103" = 0
    • "1609" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center\­Svc\­%variable%]
    • "EnableNotifications" = 0

A string with variable content is used instead of %variable% .

File infection

Win64/Expiro.B is a polymorphic file infector.


The virus searches local drives for executable files to infect.


The virus searches for executables with one of the following extensions:

  • .exe

Files are infected by adding a new section that contains the virus .


The size of the inserted code is 512000 B .


The host file is modified in a way that causes the virus to be executed prior to running the original code.

Information stealing

Win64/Expiro.B is a virus that steals passwords and other sensitive information.


The following information is collected:

  • digital certificates
  • login passwords for certain applications/services
  • login user names for certain applications/services
  • FTP account information
  • Outlook Express account data
  • operating system version
  • volume serial number
  • information about the operating system and system settings
  • a list of recently visited URLs

The virus collects information used to access certain sites.


The programs affected include the following:

  • FileZilla
  • Internet Explorer
  • Microsoft Outlook

The virus attempts to send gathered information to a remote machine.

Other information

The virus acquires data and commands from a remote computer or the Internet.


The virus contains a list of (61) URLs. The virus generates various URL addresses. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • modify network traffic
  • modify the content of websites
  • redirect network traffic
  • monitor network traffic
  • set up a proxy server
  • perform DoS/DDoS attacks

The virus affects the behavior of the following applications:

  • Internet Explorer

The virus may create the following files:

  • %commmonappdata%\­i28%variable%.dat
  • %commonappdata%\­%variable%28.nls
  • %commonappdata%\­f28%variable%.xsl
  • %commonappdata\­c_%variable%.cfg
  • %localappdata%\­%variable%28.nls
  • %localappdata%\­dfl28z32.dll
  • %localappdata%\­kf28lz32.dll
  • %localappdata%\­wsr28zt32.dll

A string with variable content is used instead of %variable% .


The following services are disabled:

  • MsMpSvc
  • NisSrv
  • WinDefend
  • wscsvc

The following programs are terminated:

  • MSASCui.exe
  • msseces.exe
  • Tcpview.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.