W32/Expiro!FB4596E9E5​09

This page shows details and results of our analysis on the malware W32/Expiro!FB4596E9E509

Overview

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.


Minimum Engine

5600.1067

File Length

1697792

Description Added

2014-08-03

Description Modified

2014-08-03

Malware Proliferation

Characteristics

This is a Virus

File PropertiesProperty Values
McAfee DetectionW32/Expiro
Length1697792 bytes
MD5fb4596e9e5093b4f5e782c6d128aa9af
SHA15127d0eef126f835a8544a6d4e0a2a280251305b


Other Common Detection Aliases

Company NamesDetection Names
ahnlabWin32/Expiro.Gen
avastWin32:Expiro-EG
AVG (GriSoft)Win32/Expiro
aviraTR/Crypt.ZPACK.Gen
KasperskyVirus.Win32.Expiro.nt
BitDefenderWin32.Expiro.Gen.2
Dr.WebWin32.Expiro.104
FortiNetW32/Expiro.NT!tr
MicrosoftVirus:Win32/Expiro.DL
EsetWin32/Expiro.CD virus
normanExpiro.YV
pandaW32/Expiro.gen
risingMalware.RDM.20!5.1A
SophosW32/Expiro-W
Trend MicroPE_EXPIRO.RAP
vba32Virus.Win32.Expiro.SEP.2
Vet (Computer Associates)Win32/Expiro.BT

Other brands and names may be claimed as the property of others.


ActivitiesRisk Levels
No digital signature is presentInformational


McAfee ScansScan Detections
McAfee BetaW32/Expiro
McAfee SupportedW32/Expiro



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

5127D0EEF126F835A8544A6D4E0A2A280251305B

The following files have been added to the system:

  • %WINDIR%\SYSTEM32\ups.exe
  • %WINDIR%\SYSTEM32\msiexec.exe
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngenrootstorelock.dat
  • %WINDIR%\SYSTEM32\cisvc.exe
  • %WINDIR%\SYSTEM32\msdtc.exe
  • %WINDIR%\SYSTEM32\vssvc.exe
  • %WINDIR%\SYSTEM32\smlogsvc.exe
  • %WINDIR%\SYSTEM32\clipsrv.exe
  • %WINDIR%\SYSTEM32\dmadmin.exe
  • %WINDIR%\SYSTEM32\locator.exe
  • %WINDIR%\SYSTEM32\sessmgr.exe
  • %WINDIR%\SYSTEM32\rsvp.exe
  • %WINDIR%\SYSTEM32\alg.exe
  • %WINDIR%\SYSTEM32\dllhost.exe
  • %WINDIR%\microsoft.net\framework\v2.0.50727\aspnet_state.exe
  • %WINDIR%\SYSTEM32\tlntsvr.exe
  • %WINDIR%\microsoft.net\framework\v2.0.50727\mscorsvw.exe
  • %WINDIR%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{382A19D4-A045-481C-B860-197F36D3F7AE}.crmlog
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
  • %WINDIR%\SYSTEM32\mnmsrvc.exe
  • %WINDIR%\SYSTEM32\scardsvr.exe
  • %WINDIR%\SYSTEM32\wbem\wmiapsrv.exe
  • %WINDIR%\SYSTEM32\imapi.exe
  • %COMMONPROGRAMFILES%\Microsoft Shared\Source Engine\OSE.EXE
  • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock

The following files have been changed:

  • %WINDIR%\microsoft.net\framework\v2.0.50727\ngen_service.log
  • %WINDIR%\registration\{02d4b3f1-fd88-11d1-960d-00805fc79235}.{f06fcf39-35a8-4acb-bf98-99800416ad66}.crmlog

The following files were temporarily written to disk then later removed:

  • %WINDIR%\SYSTEM32\alg.vir
  • %WINDIR%\SYSTEM32\fjnkbebn.tmp
  • %WINDIR%\SYSTEM32\ahmdphdg.tmp
  • %WINDIR%\SYSTEM32\aachmbim.tmp
  • %WINDIR%\SYSTEM32\icicfddc.tmp
  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\ehmgaeoa.tmp
  • %WINDIR%\SYSTEM32\locator.vir
  • %WINDIR%\SYSTEM32\rsvp.vir
  • %WINDIR%\SYSTEM32\clipsrv.vir
  • %WINDIR%\SYSTEM32\smlogsvc.vir
  • %WINDIR%\SYSTEM32\dpfmlgcj.tmp
  • %WINDIR%\SYSTEM32\sessmgr.vir
  • %WINDIR%\SYSTEM32\dpeocccp.tmp
  • %WINDIR%\SYSTEM32\dllhost.vir
  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\pmifoeej.tmp
  • %WINDIR%\SYSTEM32\imapi.vir
  • %WINDIR%\SYSTEM32\ohmhkkhb.tmp
  • %WINDIR%\SYSTEM32\tlntsvr.vir
  • %WINDIR%\SYSTEM32\gjbdjcja.tmp
  • %WINDIR%\SYSTEM32\ups.vir
  • %WINDIR%\SYSTEM32\msdtc.vir
  • %WINDIR%\SYSTEM32\mnmsrvc.vir
  • %WINDIR%\SYSTEM32\jpggfmjm.tmp
  • %COMMONPROGRAMFILES%\Microsoft Shared\Source Engine\fjeafgjj.tmp
  • %WINDIR%\SYSTEM32\caapnbnp.tmp
  • %WINDIR%\SYSTEM32\hmnkodda.tmp
  • %WINDIR%\SYSTEM32\wbem\cibhfife.tmp
  • %WINDIR%\SYSTEM32\dmadmin.vir
  • %WINDIR%\SYSTEM32\scardsvr.vir
  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\emoobbjd.tmp
  • %WINDIR%\SYSTEM32\cisvc.vir
  • %WINDIR%\Microsoft.NET\framework\v2.0.50727\aspnet_state.vir
  • %WINDIR%\SYSTEM32\vssvc.vir
  • %WINDIR%\SYSTEM32\lnahoplj.tmp
  • %WINDIR%\SYSTEM32\wbem\wmiapsrv.vir
  • %WINDIR%\SYSTEM32\hpqamdfa.tmp
  • %WINDIR%\SYSTEM32\msiexec.vir

The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\CLIPBOOK SERVER\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-1482476501-[private subnet]522115-500\
  • HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM\

The following registry elements have been changed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE\ACCUMULATEDWAITIDLETIME = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-1482476501-[private subnet]522115-500\ENABLENOTIFICATIONS = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\ACTIVE = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\CONTROLFLAGS = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\LOGSESSIONNAME = stdout
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\IMAPISVC\BITNAMES = ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\TRACING\MICROSOFT\IMAPI\IMAPISVC\GUID = 8107d8e9-e323-49f5-bba2-abc35c243dca
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\HIDESCAHEALTH = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM\ENABLESMARTSCREEN = 0

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

Please use the following instructions for all supported versions of Windows:


1. Disable Windows System Restore. For instructions, please refer to: http://www.mcafee.com/us/downloads/free-tools/disabling-system-restore.aspx

2. Update your McAfee Anti-Virus product to the latest version (when possible), and ensure the latest DAT and Engine and any applicable EXTRA.DATs are installed.

3. Run a full system scan. (On-Demand Scan)

4. Reboot, as soon as it is convenient, to ensure all malicious components are removed.

Variants