Win32/Expiro [Threat Name] go to Threat
Win32/Expiro.CG [Threat Variant Name]
| Category | virus |
| Detection created | Nov 26, 2014 |
| Detection database version | 10786 |
| Aliases | Virus.Win32.Expiro.nt (Kaspersky) |
| Virus:Win32/Expiro.DS (Microsoft) |
Short description
Win32/Expiro.CG is a polymorphic file infector.
Installation
The virus creates the following files:
- %userprofile%\Local Settings\Application Data\wsr%variable%zt32.dll
- %commonappdata%\%variable%36.nls
A string with variable content is used instead of %variable% .
The following Registry entries are set:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1406" = 0
- "2103" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "2103" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1406" = 0
- "2103" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "2103" = 0
- "1609" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "2103" = 0
- "1609" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\%variable%]
- "EnableNotifications" = 0
A string with variable content is used instead of %variable% .
File infection
Win32/Expiro.CG is a polymorphic file infector.
The virus searches local drives for executable files to infect.
The virus searches for executables with one of the following extensions:
- .exe (PE32, PE64)
- .scr (PE32, PE64)
Executables are infected by appending the code of the virus to the last section.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The size of the inserted code is variable.
Information stealing
Win32/Expiro.CG is a virus that steals passwords and other sensitive information.
The following information is collected:
- digital certificates
- login passwords for certain applications/services
- login user names for certain applications/services
- Outlook Express account data
- FTP account information
- volume serial number
- information about the operating system and system settings
- a list of recently visited URLs
The virus may affect the behavior of the following applications:
- Mozilla Firefox
- Google Chrome
The virus collects information used to access certain sites.
The virus attempts to send gathered information to a remote machine.
Other information
The virus acquires data and commands from a remote computer or the Internet.
The virus contains a list of (60) URLs. The virus generates various URL addresses. The HTTP protocol is used.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- execute shell commands
- modify network traffic
- modify the content of websites
- redirect network traffic
- monitor network traffic
- set up a proxy server
- perform DoS/DDoS attacks
The following services are disabled:
- wscsvc
- WinDefend
- MsMpSvc
- NisSrv
- gupdate
- gupdatem
- wuauserv
The following programs are terminated:
- MSASCui.exe
- msseces.exe
- mseinstall.exe
- Tcpview.exe
- cav_installer.exe
- cfw_installer.exe
- cispremium_installer.exe
- PandaCloudAntivirus.exe
- 60Second.exe
- Antivirus_Free_Edition.exe
- OnlineArmorSetup.exe
- McAfeeSetup.exe
- Vba32.NT.T.exe
- Vba32.P.exe
- Vba32.S.exe
- Vba32.Vista.exe
- Vba32.W.exe
- Vba32Check.exe
- Vba32RCSInstal
- Tuner.exe
- avgmfapx.exe
- avg_remover_expiro.exe