Win32/Expiro [Threat Name] go to Threat
Win32/Expiro.T [Threat Variant Name]
| Category | virus |
| Size | 110832 B |
| Detection created | Apr 13, 2011 |
| Detection database version | 6039 |
| Aliases | Virus.Win32.Expiro.w (Kaspersky) |
| W32/Expiro.gen.h.virus (McAfee) | |
| Virus:Win32/Expiro.R (Microsoft) |
Short description
Win32/Expiro.T is a polymorphic file infector.
Installation
The virus does not create any copies of itself.
The virus creates the following files:
- %appdata%\Mozilla\Firefox\Profiles\%profile%\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar (8234 B)
- %appdata%\Mozilla\Firefox\Profiles\%profile%\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest (307 B)
- %appdata%\Mozilla\Firefox\Profiles\%profile%\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js (JS/Redirector.NBI, 4152 B)
- %appdata%\Mozilla\Firefox\Profiles\%profile%\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf (881 B)
The following Registry entries are set:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1406" = 0
- "1609" = 0
- "2103" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1406" = 0
- "1609" = 0
- "2103" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1406" = 0
- "1609" = 0
- "2103" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1406" = 0
- "1609" = 0
- "2103" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1406" = 0
- "1609" = 0
- "2103" = 0
The virus can delete cookies.
File infection
Win32/Expiro.T is a polymorphic file infector.
The virus searches fixed drives for executable files to infect.
It also infects files stored on removable and network drives.
The virus searches for executables with one of the following extensions:
- .exe
Files are infected by adding a new section that contains the virus .
The size of the inserted code is 110832 B .
The host file is modified in a way that causes the virus to be executed prior to running the original code.
Information stealing
Win32/Expiro.T is a virus that steals passwords and other sensitive information.
The following information is collected:
- digital certificates
- login passwords for certain applications/services
- login user names for certain applications/services
- FTP account information
- Outlook Express account data
- operating system version
- volume serial number
- information about the operating system and system settings
- a list of recently visited URLs
The virus collects information used to access certain sites.
The programs affected include the following:
- FileZilla
- Internet Explorer
- Microsoft Outlook
The virus attempts to send gathered information to a remote machine.
Other information
The virus acquires data and commands from a remote computer or the Internet.
The virus contains a list of (32) URLs. The virus generates various URL addresses. The HTTP protocol is used.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- execute shell commands
- modify network traffic
- monitor network traffic
The virus affects the behavior of the following applications:
- Internet Explorer