Win32/Expiro [Threat Name] go to Threat

Win32/Expiro.NAU [Threat Variant Name]

Category	virus
Size	200704 B
Aliases	Virus:Win32/Expiro.BJ (Microsoft)
	W32/Expiro.gen.o.virus (McAfee)
	Win32/Expiro (AVG)

Win32/Expiro.NAU is a polymorphic file infector.

The virus does not create any copies of itself.

The virus creates the following files:

%appdata%\Mozilla\Firefox\Profiles\%profile%\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest (522 B)
%appdata%\Mozilla\Firefox\Profiles\%profile%\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar (8701 B, JS/Agent.NJF trojan)
%appdata%\Mozilla\Firefox\Profiles\%profile%\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\component\red.js (4410 B, JS/Redirector.NBI trojan)
%appdata%\Mozilla\Firefox\Profiles\%profile%\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf (874 B)
%localappdata%\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json (321 B)
%localappdata%\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\content.js (1464 B)
%localappdata%\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\background.js (6993 B)

The following Registry entries are set:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1406" = 0
- "2103" = 0
- "1609" = 0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "2103" = 0
- "1609" = 0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1406" = 0
- "2103" = 0
- "1609" = 0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "2103" = 0
- "1609" = 0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "2103" = 0
- "1609" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\%variable%]
- "EnableNotifications" = 0

A string with variable content is used instead of %variable% .

Win32/Expiro.NAU is a polymorphic file infector.

The virus searches local drives for executable files to infect.

The virus searches for executables with one of the following extensions:

Files are infected by adding a new section that contains the virus .

The size of the inserted code is 200704 B .

The host file is modified in a way that causes the virus to be executed prior to running the original code.

Win32/Expiro.NAU is a virus that steals passwords and other sensitive information.

The following information is collected:

The virus collects information used to access certain sites.

The programs affected include the following:

The virus attempts to send gathered information to a remote machine.

The virus acquires data and commands from a remote computer or the Internet.

The virus contains a list of (61) URLs. The virus generates various URL addresses. The HTTP protocol is used.

It may perform the following actions:

The virus affects the behavior of the following applications:

The virus may create the following files:

A string with variable content is used instead of %variable% .

The following services are disabled:

The following programs are terminated: