W32/Expiro!704A1AE5C9​E5

This page shows details and results of our analysis on the malware W32/Expiro!704A1AE5C9E5

Overview

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.


Minimum DAT

7332 (2014-01-28)

Updated DAT

7332 (2014-01-28)

Minimum Engine

5600.1067

File Length

711168

Description Added

2014-01-29

Description Modified

2014-01-29

Malware Proliferation

Characteristics

This is a Virus

File PropertiesProperty Values
McAfee DetectionW32/Expiro
Length711168 bytes
MD5704a1ae5c9e50115ad17adb9994b6bd2
SHA12d3a037bf1ea905d79c050cccc553795c0538ece


Other Common Detection Aliases

Company NamesDetection Names
aviraTR/Spy.EB
KasperskyVirus.Win32.Expiro.ar
Dr.WebWin32.Expiro.78
FortiNetW32/Expiro.AR
MicrosoftVirus:Win32/Expiro.BZ
EsetWin32/Expiro.NBU
normanwinpe/Expiro.YJ
SophosW32/Expiro-S
Trend MicroPE_EXPIRO.AR
vba32Virus.Expiro.3109

Other brands and names may be claimed as the property of others.


ActivitiesRisk Levels
No digital signature is presentInformational


McAfee ScansScan Detections
McAfee BetaW32/Expiro
McAfee SupportedW32/Expiro



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

2D3A037BF1EA905D79C050CCCC553795C0538ECE

The following files have been added to the system:

  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngenrootstorelock.dat
  • %WINDIR%\SYSTEM32\msiexec.exe
  • %WINDIR%\SYSTEM32\tlntsvr.exe
  • %WINDIR%\SYSTEM32\vssvc.exe
  • %WINDIR%\SYSTEM32\smlogsvc.exe
  • %WINDIR%\SYSTEM32\locator.exe
  • %WINDIR%\SYSTEM32\sessmgr.exe
  • %WINDIR%\microsoft.net\framework\v2.0.50727\mscorsvw.exe
  • %WINDIR%\SYSTEM32\alg.exe
  • %WINDIR%\microsoft.net\framework\v2.0.50727\aspnet_state.exe
  • %COMMONPROGRAMFILES%\Microsoft Shared\Source Engine\OSE.EXE
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
  • %WINDIR%\SYSTEM32\mnmsrvc.exe
  • %WINDIR%\SYSTEM32\scardsvr.exe
  • %WINDIR%\SYSTEM32\cisvc.exe
  • %WINDIR%\SYSTEM32\wbem\wmiapsrv.exe
  • %WINDIR%\SYSTEM32\imapi.exe
  • %WINDIR%\SYSTEM32\netdde.exe
  • %WINDIR%\SYSTEM32\dmadmin.exe
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock

The following files have been changed:

  • %WINDIR%\microsoft.net\framework\v2.0.50727\ngen_service.log

The following files were temporarily written to disk then later removed:

  • %WINDIR%\SYSTEM32\oameeikg.tmp
  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\qkpbmieo.tmp
  • %WINDIR%\SYSTEM32\oholopki.tmp
  • %WINDIR%\SYSTEM32\ohkmmgii.tmp
  • %WINDIR%\SYSTEM32\nniniidk.tmp
  • %WINDIR%\SYSTEM32\ajgklamc.tmp
  • %WINDIR%\SYSTEM32\ngineidk.tmp
  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\nbbmhali.tmp
  • %WINDIR%\SYSTEM32\nhnacond.tmp
  • %WINDIR%\SYSTEM32\npijbhil.tmp
  • %WINDIR%\SYSTEM32\mejblcmj.tmp
  • %WINDIR%\SYSTEM32\wbem\fkdjqbhj.tmp
  • %WINDIR%\SYSTEM32\bmoeplmc.tmp
  • %WINDIR%\SYSTEM32\ajelhcgn.tmp
  • %WINDIR%\SYSTEM32\bfclejol.tmp
  • %WINDIR%\SYSTEM32\imomnlhn.tmp
  • %WINDIR%\SYSTEM32\npnpckil.tmp
  • %WINDIR%\SYSTEM32\fkodlhcn.tmp
  • %COMMONPROGRAMFILES%\Microsoft Shared\Source Engine\hfionana.tmp

The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\CONFERENCING\MCPT\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-1482476501-[private subnet]522115-500\
  • HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM\

The following registry elements have been changed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE\ACCUMULATEDWAITIDLETIME = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-1482476501-[private subnet]522115-500\ENABLENOTIFICATIONS = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\ACTIVE = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\CONTROLFLAGS = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\LOGSESSIONNAME = stdout
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\IMAPISVC\BITNAMES = ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\IMAPISVC\GUID = 8107d8e9-e323-49f5-bba2-abc35c243dca
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\HIDESCAHEALTH = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM\ENABLESMARTSCREEN = 0

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

Please use the following instructions for all supported versions of Windows:


1. Disable Windows System Restore. For instructions, please refer to: http://www.mcafee.com/us/downloads/free-tools/disabling-system-restore.aspx

2. Update your McAfee Anti-Virus product to the latest version (when possible), and ensure the latest DAT and Engine and any applicable EXTRA.DATs are installed.

3. Run a full system scan. (On-Demand Scan)

4. Reboot, as soon as it is convenient, to ensure all malicious components are removed.

Variants