W32/Expiro-H is a file infector for the Windows platform. Expiro is a family of polymorphic file infectors, meaning that the viral code inserted into each infected file is unique, while still maintaining the same malicious functionality.
The viral payload can inject malicious code into web pages visited as well as steal login credentials.
As W32/Expiro-H is a file infector, any filename is fair game. Additionally, the W32/Expiro-H infection routine has additional code to handle files protected by System File Checker (SFC).
The W32/Expiro-H code also appears to use files named as below in the APPDATA directory as small data files—in other words, they are not DLLs, though they have a .dll extension—where the [0-9] represent a single digit between 0 and 9:
Notably, W32/Expiro-H does not create any registry keys. Instead, to achieve persistance, the infection routine ensures that it initially infects at least one executable file that already has a pre-existing RunKey associated.
If W32/Expiro-H attempts to infect Sophos Anti-Virus core files, this will trigger the rule HIPS/FileWriteMod-003.