W32/Expiro.gen.p

This page shows details and results of our analysis on the malware W32/Expiro.gen.p

Overview

This is virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Virus.Win32.Expiro
  • Win32/Expiro.AK
  • W32/Expiro.AC
  • Virus:Win32/Expiro.BA
  • Virus.Win32.Expiro.ai
  • PE_EXPIRO.ZZ
  • W32.Xpiro.D


Minimum Engine

5600.1067

File Length

varies

Description Added

2012-10-25

Description Modified

2014-02-12

Malware Proliferation

Characteristics

----------------------Updated on Feb 12th 2014--------------------------


Aliases

  • Ikarus            -      Virus.Win32.Sality
  • Avira             -    W32/Infector.Gen8 Windows
  • microsoft       -    Virus:Win32/Expiro.CD
  • Nod32          -    Win32/Expiro.AY

Characteristics –

“W32/Expiro.gen.p” is a virus which infects all the exe files found in all the mapped system drives and removable drives.
“W32/Expiro.gen.p” infects the exe files by injecting a malicious code, and it creates a copy of the infected file as filename.vir. And it may steal the system information and send to the remote attacker.
“W32/Expiro.gen.p” searches for and infects all PE executables in the system except for those that have the following characteristics.

With data overlay
Not enough space in header for additional section data
Already infected file
DLL and driver files

“W32/Expiro.gen.p” increase the last section size is around 0x28000 bytes.


Upon execution, it creates files in the below location.

%App Data%\acbdfbig28.nls
%WINDIR%\system32\drivers\ickar.sys
%WINDIR%\system32\clipsrv.exe
%WINDIR%\system32\dmadmin.exe
%WINDIR%\system32\imapi.exe
%WINDIR%\system32\locator.exe
%WINDIR%\system32\mnmsrvc.exe
%WINDIR%\system32\msiexec.exe
%WINDIR%\system32\netdde.exe
%WINDIR%\system32\scardsvr.exe
%WINDIR%\system32\sessmgr.exe
%WINDIR%\system32\smlogsvc.exe
%WINDIR%\system32\tlntsvr.exe
%WINDIR%\system32\vssvc.exe
%WINDIR%\system32\wbem\wmiapsrv.exe
%WINDIR%\system32\wbem\wmiapsrv.vir
%WINDIR%\system32\cisvc.exe
%WINDIR%\system32\cisvc.vir

The above are the files created by a virus which creates a copy of the infected file with the extension .vir

Upon execution, it creates files in the below location

  • %SystemROOT%\$Directory
  • %SystemROOT%\$ConvertToNonresident


Upon execution, it modified the files and infected by the virus in the below location.

  • %WINDIR%\system32\cisvc.exe
  • %WINDIR%\system32\clipsrv.exe
  • %WINDIR%\system32\dmadmin.exe
  • %WINDIR%\system32\imapi.exe
  • %WINDIR%\system32\locator.exe
  • %WINDIR%\system32\mnmsrvc.exe
  • %WINDIR%\system32\msiexec.exe
  • %WINDIR%\system32\netdde.exe
  • %WINDIR%\system32\scardsvr.exe
  • %WINDIR%\system32\sessmgr.exe
  • %WINDIR%\system32\smlogsvc.exe
  • %WINDIR%\system32\tlntsvr.exe
  • %WINDIR%\system32\vssvc.exe
  • %WINDIR%\system32\wbem\wmiapsrv.exe
  • %WINDIR%\system32\locjfnk.exe
  • %programfiles%\HexEdit\HexEdit.exe
  • %programfiles%\Movie Maker\moviemk.exe
  • %programfiles%\Mozilla Firefox\firefox.exe
  • %programfiles%\Mozilla Maintenance Service\maintenanceservice.exe
  • %programfiles%\MSN\MSNCoreFiles\Install\msnsusii.exe
  • %programfiles%\Outlook Express\msimn.exe
  • %programfiles%\Outlook Express\wab.exe
  • %Root%\pagefile.sys
  • %programfiles%\Adobe\Reader 9.0\Reader\AcroBroker.exe
  • %programfiles%\Adobe\Reader 9.0\Reader\AcroRd32.exe


The following registry keys are added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hta\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMADMIN\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ickar
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Sysinternals\PsGetSid
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Sysinternals\PsInfo
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Sysinternals\PsKill
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Sysinternals\PsList
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Sysinternals\PsLoggedon


The following registry key values has been added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hta\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48123bc4-99d9-11d1-a6b3-00c04fd91555}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMADMIN\0000\Control\ActiveService: "dmadmin"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CISVC\0000\Control\*NewlyCreated*: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CISVC\0000\Control\ActiveService: "CiSvc"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CISVC\0000\Service: "CiSvc"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CISVC\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CISVC\0000\ConfigFlags: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CISVC\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CISVC\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CISVC\0000\DeviceDesc: "Indexing Service"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CISVC\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSRV\0000\Control\*NewlyCreated*: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSRV\0000\Service: "ClipSrv"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSRV\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSRV\0000\ConfigFlags: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSRV\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSRV\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSRV\0000\DeviceDesc: "ClipBook"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CLIPSRV\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CiSvc\Enum\0: "Root\LEGACY_CISVC\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CiSvc\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CiSvc\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipSrv\Enum\0: "Root\LEGACY_CLIPSRV\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipSrv\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipSrv\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ickar\ImagePath: "system32\drivers\ickar.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ickar\DisplayName: "Microsoft ickar support"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ickar\ErrorControl: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ickar\Start: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ickar\Type: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMADMIN\0000\Control\ActiveService: "dmadmin"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Control\*NewlyCreated*: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Control\ActiveService: "CiSvc"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Service: "CiSvc"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\ConfigFlags: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\ClassGUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\0000\DeviceDesc: "Indexing Service"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CISVC\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\0000\Control\*NewlyCreated*: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\0000\Service: "ClipSrv"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\0000\ConfigFlags: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\0000\ClassGUID: 
  • "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\0000\DeviceDesc: "ClipBook"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIPSRV\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Enum\0: "Root\LEGACY_CISVC\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum\0: "Root\LEGACY_CLIPSRV\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ickar\ImagePath: "system32\drivers\ickar.sys"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ickar\DisplayName: "Microsoft ickar support"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ickar\ErrorControl: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ickar\Start: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ickar\Type: 0x00000001


The following registry keys Values has been modified to the System

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.doc\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.doc\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dot\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dot\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73FDDC80-AEA9-101A-98A7-00AA00374959}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73FDDC80-AEA9-101A-98A7-00AA00374959}\PersistentHandler\: "{GUID}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet Mail Message\: "Outlook Express Mail Message"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet Mail Message\: "Internet E-Mail Message"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet News Message\: "Outlook Express News Message"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft Internet News Message\: "Internet News Message"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\: 0x0000000E
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\: 0x00000011
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CiSvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CiSvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipSrv\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipSrv\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipSrv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ClipSrv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ImapiService\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ImapiService\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ImapiService\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ImapiService\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mnmsrvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mnmsrvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MozillaMaintenance\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MozillaMaintenance\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MozillaMaintenance\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MozillaMaintenance\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIServer\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetDDE\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetDDE\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetDDE\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetDDE\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odserv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odserv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odserv\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odserv\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ose\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ose\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ose\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ose\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PartMgr\Enum\Count: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PartMgr\Enum\Count: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PartMgr\Enum\NextInstance: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PartMgr\Enum\NextInstance: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RDSessMgr\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RDSessMgr\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RDSessMgr\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RDSessMgr\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpcapd\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpcapd\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpcapd\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpcapd\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x000000FE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000116
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID}\LeaseObtainedTime: 0x5214FE36
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID}\LeaseObtainedTime: 0x52151A56
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID}\T1: 0x521501BA
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID}\T1: 0x52151DDA
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID}\T2: 0x5215045D
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID}\T2: 0x5215207D
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID}\LeaseTerminatesTime: 0x5215053E
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID}\LeaseTerminatesTime: 0x5215215E
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApSrv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApSrv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApSrv\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApSrv\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{GUID}\Parameters\Tcpip\LeaseObtainedTime: 0x5214FE36
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{GUID}\Parameters\Tcpip\LeaseObtainedTime: 0x52151A56
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{GUID}\Parameters\Tcpip\T1: 0x521501BA
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{GUID}\Parameters\Tcpip\T1: 0x52151DDA
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{GUID}\Parameters\Tcpip\T2: 0x5215045D
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{GUID}\Parameters\Tcpip\T2: 0x5215207D
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{GUID}\Parameters\Tcpip\LeaseTerminatesTime: 0x5215053E
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{GUID}\Parameters\Tcpip\LeaseTerminatesTime: 0x5215215E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000011
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odserv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odserv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odserv\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odserv\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PartMgr\Enum\Count: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PartMgr\Enum\Count: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PartMgr\Enum\NextInstance: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PartMgr\Enum\NextInstance: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x000000FE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000116
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\LeaseObtainedTime: 0x5214FE36
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\LeaseObtainedTime: 0x52151A56
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\T1: 0x521501BA
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\T1: 0x52151DDA
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\T2: 0x5215045D
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\T2: 0x5215207D
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\LeaseTerminatesTime: 0x5215053E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}\LeaseTerminatesTime: 0x5215215E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum\Count: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum\NextInstance: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID}\Parameters\Tcpip\LeaseObtainedTime: 0x5214FE36
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID}\Parameters\Tcpip\LeaseObtainedTime: 0x52151A56
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID}\Parameters\Tcpip\T1: 0x521501BA
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID}\Parameters\Tcpip\T1: 0x52151DDA
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID}\Parameters\Tcpip\T2: 0x5215045D
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID}\Parameters\Tcpip\T2: 0x5215207D
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID}\Parameters\Tcpip\LeaseTerminatesTime: 0x5215053E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID}\Parameters\Tcpip\LeaseTerminatesTime: 0x5215215E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000015
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000001A
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Type: 0x00000120
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Type: 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv\Start: 0x00000002
  • 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004


The above registry entry ensures that the virus infects the all system services and it set start type as automatically in order to execute the virus code upon system boot.


---------------------------Updated On Feb8th 2014--------------------

Aliases

  • Ikarus            -      Virus.Win32.Sality
  • Avira             -    W32/Infector.Gen8 Windows
  • microsoft       -    Virus:Win32/Expiro.CD
  • Nod32          -    Win32/Expiro.AY


Characteristics –

“W32/Expiro.gen.p” is a virus which infects all the exe files found in all the mapped system drives and removable drives.
“W32/Expiro.gen.p” infects the exe files by injecting a malicious code, and it creates a copy of the infected file as filename.vir. And it may steal the system information and send to the remote attacker.
“W32/Expiro.gen.p” searches for and infects all PE executables in the system except for those that have the following characteristics.

With data overlay
Not enough space in header for additional section data
Already infected file
DLL and driver files

“W32/Expiro.gen.p” increase the last section size is around 0x28000 bytes.

Upon execution it tries to connect the below IP Address

  • 64.[Removed].33
  • 208. [Removed]..29
  • 64. [Removed]..198
  • 195. [Removed]..231
  • 95. [Removed]..198
  • 213. [Removed]..165
  • 74. [Removed]..116


Upon execution, it creates files in the below location.

%App Data%\acbdfbig28.nls
%WINDIR%\system32\drivers\ickar.sys
%WINDIR%\system32\clipsrv.exe
%WINDIR%\system32\dmadmin.exe
%WINDIR%\system32\imapi.exe
%WINDIR%\system32\locator.exe
%WINDIR%\system32\mnmsrvc.exe
%WINDIR%\system32\msiexec.exe
%WINDIR%\system32\netdde.exe
%WINDIR%\system32\scardsvr.exe
%WINDIR%\system32\sessmgr.exe
%WINDIR%\system32\smlogsvc.exe
%WINDIR%\system32\tlntsvr.exe
%WINDIR%\system32\vssvc.exe
%WINDIR%\system32\wbem\wmiapsrv.exe
%WINDIR%\system32\wbem\wmiapsrv.vir
%WINDIR%\system32\cisvc.exe
%WINDIR%\system32\cisvc.vir

The above are the files created by a virus which creates a copy of the infected file with the extension .vir

Upon execution, it creates files in the below location

  • %SystemROOT%\$Directory
  • %SystemROOT%\$ConvertToNonresident


Upon execution, it modified the files and infected by the virus in the below location.

  • %WINDIR%\system32\cisvc.exe
  • %WINDIR%\system32\clipsrv.exe
  • %WINDIR%\system32\dmadmin.exe
  • %WINDIR%\system32\imapi.exe
  • %WINDIR%\system32\locator.exe
  • %WINDIR%\system32\mnmsrvc.exe
  • %WINDIR%\system32\msiexec.exe
  • %WINDIR%\system32\netdde.exe
  • %WINDIR%\system32\scardsvr.exe
  • %WINDIR%\system32\sessmgr.exe
  • %WINDIR%\system32\smlogsvc.exe
  • %WINDIR%\system32\tlntsvr.exe
  • %WINDIR%\system32\vssvc.exe
  • %WINDIR%\system32\wbem\wmiapsrv.exe
  • %WINDIR%\system32\locjfnk.exe
  • %programfiles%\HexEdit\HexEdit.exe
  • %programfiles%\Movie Maker\moviemk.exe
  • %programfiles%\Mozilla Firefox\firefox.exe
  • %programfiles%\Mozilla Maintenance Service\maintenanceservice.exe
  • %programfiles%\MSN\MSNCoreFiles\Install\msnsusii.exe
  • %programfiles%\Outlook Express\msimn.exe
  • %programfiles%\Outlook Express\wab.exe
  • %Root%\pagefile.sys
  • %programfiles%\Adobe\Reader 9.0\Reader\AcroBroker.exe
  • %programfiles%\Adobe\Reader 9.0\Reader\AcroRd32.exe


The following registry keys are added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hta\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\PersistentHandler
  • Symptoms

    • Presence of above mentioned files and registry activities.
    • File size increase by more than 176 Kb
    • Change of file timestamp
    • PE file last section name is vmp0

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants