W32/Expiro!69203320AC​6F

This page shows details and results of our analysis on the malware W32/Expiro!69203320AC6F

Overview

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.


Minimum Engine

5600.1067

File Length

1836544

Description Added

2014-08-02

Description Modified

2014-08-02

Malware Proliferation

Characteristics

This is a Virus

File PropertiesProperty Values
McAfee DetectionW32/Expiro
Length1836544 bytes
MD569203320ac6f81ce9cbc1adcb4f5cc9a
SHA1e3ccc75eb092b31de73d8221127b75deaad47e3b


Other Common Detection Aliases

Company NamesDetection Names
ahnlabWin32/Expiro.Gen
avastWin32:Expiro-EG
AVG (GriSoft)Win32/Expiro
aviraW32/Infector.Gen4
KasperskyVirus.Win32.Expiro.nt
BitDefenderWin32.Expiro.Gen.2
Dr.WebWin32.Expiro.104
FortiNetW32/Expiro.NT!tr
MicrosoftVirus:Win32/Expiro.DL
EsetWin32/Expiro.CD virus
normanExpiro.YV
pandaW32/Expiro.gen
SophosW32/Expiro-W
Trend MicroPE_EXPIRO.RAP
vba32Virus.Win32.Expiro.SEP.3
Vet (Computer Associates)Win32/Expiro.BT

Other brands and names may be claimed as the property of others.


ActivitiesRisk Levels
No digital signature is presentInformational


McAfee ScansScan Detections
McAfee BetaW32/Expiro
McAfee SupportedW32/Expiro



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

E3CCC75EB092B31DE73D8221127B75DEAAD47E3B

The following files have been added to the system:

  • %WINDIR%\SYSTEM32\ups.exe
  • %WINDIR%\SYSTEM32\msdtc.exe
  • %WINDIR%\SYSTEM32\scardsvr.exe
  • %WINDIR%\SYSTEM32\smlogsvc.exe
  • %WINDIR%\SYSTEM32\dmadmin.exe
  • %WINDIR%\SYSTEM32\locator.exe
  • %WINDIR%\SYSTEM32\sessmgr.exe
  • %WINDIR%\microsoft.net\framework\v2.0.50727\mscorsvw.exe
  • %WINDIR%\SYSTEM32\alg.exe
  • %WINDIR%\SYSTEM32\dllhost.exe
  • %WINDIR%\microsoft.net\framework\v2.0.50727\aspnet_state.exe
  • %WINDIR%\SYSTEM32\tlntsvr.exe
  • %WINDIR%\SYSTEM32\vssvc.exe
  • %WINDIR%\SYSTEM32\mnmsrvc.exe
  • %WINDIR%\SYSTEM32\clipsrv.exe
  • %WINDIR%\SYSTEM32\msiexec.exe
  • %WINDIR%\SYSTEM32\wbem\wmiapsrv.exe
  • %WINDIR%\SYSTEM32\imapi.exe
  • %COMMONPROGRAMFILES%\Microsoft Shared\Source Engine\OSE.EXE
  • %WINDIR%\SYSTEM32\cisvc.exe

The following files were temporarily written to disk then later removed:

  • %WINDIR%\SYSTEM32\gjblclil.tmp
  • %WINDIR%\SYSTEM32\mnadojbm.tmp
  • %WINDIR%\SYSTEM32\ipifafpe.tmp
  • %WINDIR%\SYSTEM32\ogahlqfd.tmp
  • %WINDIR%\SYSTEM32\kbghipqg.tmp
  • %WINDIR%\SYSTEM32\lkaomijp.tmp
  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\ffomjjnc.tmp
  • %WINDIR%\SYSTEM32\wbem\kcbajhmn.tmp
  • %WINDIR%\SYSTEM32\oaaflmme.tmp
  • %WINDIR%\SYSTEM32\jcmocjcg.tmp
  • %WINDIR%\SYSTEM32\hafabmnb.tmp
  • %WINDIR%\SYSTEM32\jdbfaano.tmp
  • %WINDIR%\SYSTEM32\cjlblnfd.tmp
  • %COMMONPROGRAMFILES%\Microsoft Shared\Source Engine\ajkafkpp.tmp
  • %WINDIR%\SYSTEM32\gfeebgdl.tmp
  • %WINDIR%\SYSTEM32\omcddkfp.tmp
  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\ibhnbpeh.tmp
  • %WINDIR%\SYSTEM32\oebdebla.tmp
  • %WINDIR%\SYSTEM32\jobolmde.tmp
  • %WINDIR%\SYSTEM32\nodhpedc.tmp

The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\CLIPBOOK SERVER\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-1482476501-[private subnet]522115-500\
  • HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM\

The following registry elements have been changed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-1482476501-[private subnet]522115-500\ENABLENOTIFICATIONS = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\HIDESCAHEALTH = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM\ENABLESMARTSCREEN = 0

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

Please use the following instructions for all supported versions of Windows:


1. Disable Windows System Restore. For instructions, please refer to: http://www.mcafee.com/us/downloads/free-tools/disabling-system-restore.aspx

2. Update your McAfee Anti-Virus product to the latest version (when possible), and ensure the latest DAT and Engine and any applicable EXTRA.DATs are installed.

3. Run a full system scan. (On-Demand Scan)

4. Reboot, as soon as it is convenient, to ensure all malicious components are removed.

Variants