Virus.Win32.Expiro_f40f74449c

by malwarelabrobot on January 22nd, 2014 in Malware Descriptions.

Virus.Win32.Expiro.ai (Kaspersky), Virus.Win32.Expiro.gen.a (v) (VIPRE), Virus.Win32.Expiro!IK (Emsisoft), VirusExpiro.YR (Lavasoft MAS)
Behaviour: Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.

Summary
Technical Details
Removal Recommendations

MD5: f40f74449ce2620779aa5a0a6be43638
SHA1: a04444b98b304d008f4ff1055c13a3553d7d3257
SHA256: c8f0ae279826b9ea4a94db34b19c85a0af73c00e4cac6b137833d65ba3073d4c
SSDeep: 12288:n8czaPNQOZglGmlh2HeXBlLBGDDwk2asHBTttBRS8aQH8v8sVeZ:813mlhOeX7LBcZS7BE86e
Size: 542208 bytes
File type: broken
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2008-04-13 21:33:36
Analyzed on: Windows7 SP1 64-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

mscorsvw.exe:2976
mscorsvw.exe:1624
msiexec.exe:2272

The Virus injects its code into the following process(es):

%original file name%.exe:1836

File activity

The process %original file name%.exe:1836 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Windows\System32\wbem\wmiApsrv.vir (715 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.vir (636 bytes)
C:\Windows\SysWOW64\svchost.vir (532 bytes)
C:\Windows\System32\UI0Detect.exe (3361 bytes)
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (4185 bytes)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (4185 bytes)
C:\Windows\System32\wbengine.vir (2 bytes)
C:\Windows\SysWOW64\msiexec.exe (3361 bytes)
C:\Windows\SysWOW64\svchost.exe (3361 bytes)
C:\Windows\System32\Wat\watAdminsvc.vir (1 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (4185 bytes)
C:\Windows\System32\sppsvc.exe (30427 bytes)
C:\Windows\System32\snmptrap.vir (526 bytes)
C:\Windows\System32\snmptrap.exe (3361 bytes)
C:\Windows\SysWOW64\msiexec.vir (585 bytes)
C:\Windows\System32\sppsvc.vir (4 bytes)
C:\Windows\System32\wbem\WmiApSrv.exe (4545 bytes)
C:\Windows\System32\vssvc.vir (2 bytes)
C:\Windows\System32\vds.vir (1 bytes)
C:\Windows\System32\wbengine.exe (14988 bytes)
C:\Windows\System32\Wat\WatAdminSvc.exe (11518 bytes)
%Program Files%\Internet Explorer\iexplore.exe (7971 bytes)
C:\Windows\System32\fxssvc.vir (1 bytes)
C:\Windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir (572 bytes)
C:\Windows\System32\msiexec.exe (4185 bytes)
C:\Windows\System32\msiexec.vir (640 bytes)
C:\Windows\System32\VSSVC.exe (15116 bytes)
C:\Windows\SysWOW64\dllhost.vir (519 bytes)
C:\Windows\System32\alg.vir (591 bytes)
C:\Windows\SysWOW64\dllhost.exe (3073 bytes)
C:\Windows\System32\ui0detect.vir (552 bytes)
C:\Windows\System32\FXSSVC.exe (7726 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (3361 bytes)
C:\Windows\System32\alg.exe (4185 bytes)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.vir (644 bytes)
C:\Windows\Microsoft.NET\framework64\v2.0.50727\mscorsvw.vir (595 bytes)
C:\Windows\System32\vds.exe (7385 bytes)
%Program Files%\Internet Explorer\iexplore.vir (1 bytes)

The Virus deletes the following file(s):

C:\Windows\System32\wbem\wmiApsrv.vir (0 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.vir (0 bytes)
C:\Windows\SysWOW64\svchost.vir (0 bytes)
C:\Windows\System32\wbengine.vir (0 bytes)
C:\Windows\System32\vds.vir (0 bytes)
C:\Windows\System32\Wat\watAdminsvc.vir (0 bytes)
C:\Windows\System32\snmptrap.vir (0 bytes)
C:\Windows\SysWOW64\msiexec.vir (0 bytes)
C:\Windows\System32\sppsvc.vir (0 bytes)
C:\Windows\System32\fxssvc.vir (0 bytes)
C:\Windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir (0 bytes)
C:\Windows\System32\vssvc.vir (0 bytes)
C:\Windows\System32\msiexec.vir (0 bytes)
C:\Windows\SysWOW64\dllhost.vir (0 bytes)
C:\Windows\System32\alg.vir (0 bytes)
C:\Windows\System32\ui0detect.vir (0 bytes)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.vir (0 bytes)
C:\Windows\Microsoft.NET\framework64\v2.0.50727\mscorsvw.vir (0 bytes)
%Program Files%\Internet Explorer\iexplore.vir (0 bytes)

The process mscorsvw.exe:2976 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log (4759 bytes)

The process mscorsvw.exe:1624 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log (4090 bytes)
%Program Files% (x86)\WinPcap\rpcapd.vir (622 bytes)
%Program Files% (x86)\WinPcap\rpcapd.exe (4185 bytes)

The Virus deletes the following file(s):

%Program Files% (x86)\WinPcap\rpcapd.vir (0 bytes)

Registry activity

The process %original file name%.exe:1836 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1609" = "0"
"2103" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"2103" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"2103" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1609" = "0"
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"2103" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2103" = "0"
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1406" = "0"

The process mscorsvw.exe:1624 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2858020935-2156992550-3658131804-1003]
"EnableNotifications" = "0"

The process msiexec.exe:2272 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2858020935-2156992550-3658131804-1003]
"EnableNotifications" = "0"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:2976
    mscorsvw.exe:1624

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    C:\Windows\System32\wbem\wmiApsrv.vir (715 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.vir (636 bytes)
    C:\Windows\SysWOW64\svchost.vir (532 bytes)
    C:\Windows\System32\UI0Detect.exe (3361 bytes)
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (4185 bytes)
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (4185 bytes)
    C:\Windows\System32\wbengine.vir (2 bytes)
    C:\Windows\SysWOW64\msiexec.exe (3361 bytes)
    C:\Windows\SysWOW64\svchost.exe (3361 bytes)
    C:\Windows\System32\Wat\watAdminsvc.vir (1 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (4185 bytes)
    C:\Windows\System32\sppsvc.exe (30427 bytes)
    C:\Windows\System32\snmptrap.vir (526 bytes)
    C:\Windows\System32\snmptrap.exe (3361 bytes)
    C:\Windows\SysWOW64\msiexec.vir (585 bytes)
    C:\Windows\System32\sppsvc.vir (4 bytes)
    C:\Windows\System32\wbem\WmiApSrv.exe (4545 bytes)
    C:\Windows\System32\vssvc.vir (2 bytes)
    C:\Windows\System32\vds.vir (1 bytes)
    C:\Windows\System32\wbengine.exe (14988 bytes)
    C:\Windows\System32\Wat\WatAdminSvc.exe (11518 bytes)
    %Program Files%\Internet Explorer\iexplore.exe (7971 bytes)
    C:\Windows\System32\fxssvc.vir (1 bytes)
    C:\Windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir (572 bytes)
    C:\Windows\System32\msiexec.exe (4185 bytes)
    C:\Windows\System32\msiexec.vir (640 bytes)
    C:\Windows\System32\VSSVC.exe (15116 bytes)
    C:\Windows\SysWOW64\dllhost.vir (519 bytes)
    C:\Windows\System32\alg.vir (591 bytes)
    C:\Windows\SysWOW64\dllhost.exe (3073 bytes)
    C:\Windows\System32\ui0detect.vir (552 bytes)
    C:\Windows\System32\FXSSVC.exe (7726 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (3361 bytes)
    C:\Windows\System32\alg.exe (4185 bytes)
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.vir (644 bytes)
    C:\Windows\Microsoft.NET\framework64\v2.0.50727\mscorsvw.vir (595 bytes)
    C:\Windows\System32\vds.exe (7385 bytes)
    %Program Files%\Internet Explorer\iexplore.vir (1 bytes)
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log (4759 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log (4090 bytes)
    %Program Files% (x86)\WinPcap\rpcapd.vir (622 bytes)
    %Program Files% (x86)\WinPcap\rpcapd.exe (4185 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.