W32/Expiro!73A59CC045​4C

This page shows details and results of our analysis on the malware W32/Expiro!73A59CC0454C

Overview

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.


Minimum DAT

7332 (2014-01-28)

Updated DAT

7332 (2014-01-28)

Minimum Engine

5600.1067

File Length

711168

Description Added

2014-01-29

Description Modified

2014-01-29

Malware Proliferation

Characteristics

This is a Virus

File PropertiesProperty Values
McAfee DetectionW32/Expiro
Length711168 bytes
MD573a59cc0454cc09d19a8cfdce5494f5b
SHA17c2abf2d35bab4644c154be2d31ec7054a6f8b3a


Other Common Detection Aliases

Company NamesDetection Names
aviraTR/Spy.EB
KasperskyVirus.Win32.Expiro.ar
Dr.WebWin32.Expiro.78
FortiNetW32/Expiro.AR
MicrosoftVirus:Win32/Expiro.BZ
EsetWin32/Expiro.NBU
normanwinpe/Expiro.YJ
SophosW32/Expiro-S
vba32Virus.Expiro.3109

Other brands and names may be claimed as the property of others.


ActivitiesRisk Levels
No digital signature is presentInformational


McAfee ScansScan Detections
McAfee BetaW32/Expiro
McAfee SupportedW32/Expiro



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

7C2ABF2D35BAB4644C154BE2D31EC7054A6F8B3A

The following files have been added to the system:

  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngenrootstorelock.dat
  • %WINDIR%\SYSTEM32\msiexec.exe
  • %WINDIR%\SYSTEM32\vssvc.exe
  • %WINDIR%\SYSTEM32\smlogsvc.exe
  • %WINDIR%\SYSTEM32\dmadmin.exe
  • %WINDIR%\SYSTEM32\locator.exe
  • %WINDIR%\SYSTEM32\sessmgr.exe
  • %WINDIR%\microsoft.net\framework\v2.0.50727\mscorsvw.exe
  • %WINDIR%\SYSTEM32\alg.exe
  • %WINDIR%\microsoft.net\framework\v2.0.50727\aspnet_state.exe
  • %WINDIR%\SYSTEM32\tlntsvr.exe
  • %COMMONPROGRAMFILES%\Microsoft Shared\Source Engine\OSE.EXE
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
  • %WINDIR%\SYSTEM32\scardsvr.exe
  • %WINDIR%\SYSTEM32\cisvc.exe
  • %WINDIR%\SYSTEM32\wbem\wmiapsrv.exe
  • %WINDIR%\SYSTEM32\imapi.exe
  • %WINDIR%\SYSTEM32\netdde.exe
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock

The following files have been changed:

  • %WINDIR%\microsoft.net\framework\v2.0.50727\ngen_service.log
  • %WINDIR%\SYSTEM32\mnmsrvc.exe

The following files were temporarily written to disk then later removed:

  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\daffqega.tmp
  • %WINDIR%\SYSTEM32\jhpeobgb.tmp
  • %WINDIR%\SYSTEM32\hjhmdpkk.tmp
  • %WINDIR%\SYSTEM32\pcjoccqg.tmp
  • %WINDIR%\SYSTEM32\wbem\hjibodgm.tmp
  • %WINDIR%\SYSTEM32\ffhmjnnl.tmp
  • %WINDIR%\SYSTEM32\mbbmjfna.tmp
  • %WINDIR%\SYSTEM32\difephpk.tmp
  • %WINDIR%\SYSTEM32\bjibjoog.tmp
  • %WINDIR%\SYSTEM32\ngabmjin.tmp
  • %WINDIR%\SYSTEM32\nldiigpd.tmp
  • %WINDIR%\SYSTEM32\gblkjkle.tmp
  • %WINDIR%\SYSTEM32\mnpfeecp.tmp
  • %COMMONPROGRAMFILES%\Microsoft Shared\Source Engine\hihddkdl.tmp
  • %WINDIR%\SYSTEM32\fphdmmjl.tmp
  • %WINDIR%\SYSTEM32\acmfaapk.tmp
  • %WINDIR%\SYSTEM32\fhiepmbk.tmp
  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\hbclgkkk.tmp

The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-1482476501-[private subnet]522115-500\
  • HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM\

The following registry elements have been changed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE\ACCUMULATEDWAITIDLETIME = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-1482476501-[private subnet]522115-500\ENABLENOTIFICATIONS = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\ACTIVE = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\CONTROLFLAGS = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\LOGSESSIONNAME = stdout
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\IMAPISVC\BITNAMES = ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\IMAPISVC\GUID = 8107d8e9-e323-49f5-bba2-abc35c243dca
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\HIDESCAHEALTH = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM\ENABLESMARTSCREEN = 0

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

Please use the following instructions for all supported versions of Windows:


1. Disable Windows System Restore. For instructions, please refer to: http://www.mcafee.com/us/downloads/free-tools/disabling-system-restore.aspx

2. Update your McAfee Anti-Virus product to the latest version (when possible), and ensure the latest DAT and Engine and any applicable EXTRA.DATs are installed.

3. Run a full system scan. (On-Demand Scan)

4. Reboot, as soon as it is convenient, to ensure all malicious components are removed.

Variants