Skip to main content

Virus.Win32.Expiro_f40f74449c


Virus.Win32.Expiro.ai (Kaspersky), Virus.Win32.Expiro.gen.a (v) (VIPRE), Virus.Win32.Expiro!IK (Emsisoft), VirusExpiro.YR (Lavasoft MAS)Behaviour: Virus

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: f40f74449ce2620779aa5a0a6be43638

SHA1: a04444b98b304d008f4ff1055c13a3553d7d3257

SHA256: c8f0ae279826b9ea4a94db34b19c85a0af73c00e4cac6b137833d65ba3073d4c

SSDeep: 12288:n8czaPNQOZglGmlh2HeXBlLBGDDwk2asHBTttBRS8aQH8v8sVeZ:813mlhOeX7LBcZS7BE86e

Size: 542208 bytes

File type: broken

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2008-04-13 21:33:36

Analyzed on: Windows7 SP1 64-bit

Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

mscorsvw.exe:2976
mscorsvw.exe:1624
msiexec.exe:2272

The Virus injects its code into the following process(es):

%original file name%.exe:1836

File activity

The process %original file name%.exe:1836 makes changes in the file system.


The Virus creates and/or writes to the following file(s):

C:\Windows\System32\wbem\wmiApsrv.vir (715 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.vir (636 bytes)
C:\Windows\SysWOW64\svchost.vir (532 bytes)
C:\Windows\System32\UI0Detect.exe (3361 bytes)
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (4185 bytes)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (4185 bytes)
C:\Windows\System32\wbengine.vir (2 bytes)
C:\Windows\SysWOW64\msiexec.exe (3361 bytes)
C:\Windows\SysWOW64\svchost.exe (3361 bytes)
C:\Windows\System32\Wat\watAdminsvc.vir (1 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (4185 bytes)
C:\Windows\System32\sppsvc.exe (30427 bytes)
C:\Windows\System32\snmptrap.vir (526 bytes)
C:\Windows\System32\snmptrap.exe (3361 bytes)
C:\Windows\SysWOW64\msiexec.vir (585 bytes)
C:\Windows\System32\sppsvc.vir (4 bytes)
C:\Windows\System32\wbem\WmiApSrv.exe (4545 bytes)
C:\Windows\System32\vssvc.vir (2 bytes)
C:\Windows\System32\vds.vir (1 bytes)
C:\Windows\System32\wbengine.exe (14988 bytes)
C:\Windows\System32\Wat\WatAdminSvc.exe (11518 bytes)
%Program Files%\Internet Explorer\iexplore.exe (7971 bytes)
C:\Windows\System32\fxssvc.vir (1 bytes)
C:\Windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir (572 bytes)
C:\Windows\System32\msiexec.exe (4185 bytes)
C:\Windows\System32\msiexec.vir (640 bytes)
C:\Windows\System32\VSSVC.exe (15116 bytes)
C:\Windows\SysWOW64\dllhost.vir (519 bytes)
C:\Windows\System32\alg.vir (591 bytes)
C:\Windows\SysWOW64\dllhost.exe (3073 bytes)
C:\Windows\System32\ui0detect.vir (552 bytes)
C:\Windows\System32\FXSSVC.exe (7726 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (3361 bytes)
C:\Windows\System32\alg.exe (4185 bytes)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.vir (644 bytes)
C:\Windows\Microsoft.NET\framework64\v2.0.50727\mscorsvw.vir (595 bytes)
C:\Windows\System32\vds.exe (7385 bytes)
%Program Files%\Internet Explorer\iexplore.vir (1 bytes)

The Virus deletes the following file(s):

C:\Windows\System32\wbem\wmiApsrv.vir (0 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.vir (0 bytes)
C:\Windows\SysWOW64\svchost.vir (0 bytes)
C:\Windows\System32\wbengine.vir (0 bytes)
C:\Windows\System32\vds.vir (0 bytes)
C:\Windows\System32\Wat\watAdminsvc.vir (0 bytes)
C:\Windows\System32\snmptrap.vir (0 bytes)
C:\Windows\SysWOW64\msiexec.vir (0 bytes)
C:\Windows\System32\sppsvc.vir (0 bytes)
C:\Windows\System32\fxssvc.vir (0 bytes)
C:\Windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir (0 bytes)
C:\Windows\System32\vssvc.vir (0 bytes)
C:\Windows\System32\msiexec.vir (0 bytes)
C:\Windows\SysWOW64\dllhost.vir (0 bytes)
C:\Windows\System32\alg.vir (0 bytes)
C:\Windows\System32\ui0detect.vir (0 bytes)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.vir (0 bytes)
C:\Windows\Microsoft.NET\framework64\v2.0.50727\mscorsvw.vir (0 bytes)
%Program Files%\Internet Explorer\iexplore.vir (0 bytes)

The process mscorsvw.exe:2976 makes changes in the file system.


The Virus creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log (4759 bytes)

The process mscorsvw.exe:1624 makes changes in the file system.


The Virus creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log (4090 bytes)
%Program Files% (x86)\WinPcap\rpcapd.vir (622 bytes)
%Program Files% (x86)\WinPcap\rpcapd.exe (4185 bytes)

The Virus deletes the following file(s):

%Program Files% (x86)\WinPcap\rpcapd.vir (0 bytes)

Registry activity

The process %original file name%.exe:1836 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1609" = "0"
"2103" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"2103" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"2103" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1609" = "0"
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"2103" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2103" = "0"
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1406" = "0"

The process mscorsvw.exe:1624 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2858020935-2156992550-3658131804-1003]
"EnableNotifications" = "0"

The process msiexec.exe:2272 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2858020935-2156992550-3658131804-1003]
"EnableNotifications" = "0"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:2976
    mscorsvw.exe:1624

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    C:\Windows\System32\wbem\wmiApsrv.vir (715 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.vir (636 bytes)
    C:\Windows\SysWOW64\svchost.vir (532 bytes)
    C:\Windows\System32\UI0Detect.exe (3361 bytes)
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (4185 bytes)
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (4185 bytes)
    C:\Windows\System32\wbengine.vir (2 bytes)
    C:\Windows\SysWOW64\msiexec.exe (3361 bytes)
    C:\Windows\SysWOW64\svchost.exe (3361 bytes)
    C:\Windows\System32\Wat\watAdminsvc.vir (1 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (4185 bytes)
    C:\Windows\System32\sppsvc.exe (30427 bytes)
    C:\Windows\System32\snmptrap.vir (526 bytes)
    C:\Windows\System32\snmptrap.exe (3361 bytes)
    C:\Windows\SysWOW64\msiexec.vir (585 bytes)
    C:\Windows\System32\sppsvc.vir (4 bytes)
    C:\Windows\System32\wbem\WmiApSrv.exe (4545 bytes)
    C:\Windows\System32\vssvc.vir (2 bytes)
    C:\Windows\System32\vds.vir (1 bytes)
    C:\Windows\System32\wbengine.exe (14988 bytes)
    C:\Windows\System32\Wat\WatAdminSvc.exe (11518 bytes)
    %Program Files%\Internet Explorer\iexplore.exe (7971 bytes)
    C:\Windows\System32\fxssvc.vir (1 bytes)
    C:\Windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir (572 bytes)
    C:\Windows\System32\msiexec.exe (4185 bytes)
    C:\Windows\System32\msiexec.vir (640 bytes)
    C:\Windows\System32\VSSVC.exe (15116 bytes)
    C:\Windows\SysWOW64\dllhost.vir (519 bytes)
    C:\Windows\System32\alg.vir (591 bytes)
    C:\Windows\SysWOW64\dllhost.exe (3073 bytes)
    C:\Windows\System32\ui0detect.vir (552 bytes)
    C:\Windows\System32\FXSSVC.exe (7726 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (3361 bytes)
    C:\Windows\System32\alg.exe (4185 bytes)
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.vir (644 bytes)
    C:\Windows\Microsoft.NET\framework64\v2.0.50727\mscorsvw.vir (595 bytes)
    C:\Windows\System32\vds.exe (7385 bytes)
    %Program Files%\Internet Explorer\iexplore.vir (1 bytes)
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log (4759 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log (4090 bytes)
    %Program Files% (x86)\WinPcap\rpcapd.vir (622 bytes)
    %Program Files% (x86)\WinPcap\rpcapd.exe (4185 bytes)

  4. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps