W32/Expiro-H

Category:	Viruses and Spyware	Protection available since:	08 Mar 2011 05:55:33 (GMT)
Type:	Win32 executable file virus	Last Updated:	05 Jun 2013 14:12:35 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Expiro-H is a file infector for the Windows platform.

Expiro is a family of polymorphic file infectors, meaning that the viral code inserted into each infected file is unique, while still maintaining the same malicious functionality.

The viral payload includes functionality to inject malicious code into web pages visited as well as steal login credentials.

As W32/Expiro-H is a file infector, any filename is fair game.

Additionally, the W32/Expiro-H infection routine has additional code to handle files protected by System File Checker (SFC).

The W32/Expiro-H code also appears to use files named as below in the APPDATA directory as small data files (i.e. not DLLs, though they have a .dll extension), where the [0-9] represent a single digit between 0 and 9:

'kf[0-9][0-9]z32.dll'

'dfl[0-9][0-9]z32.dll'

'wsr[0-9][0-9]zt32.dll'

Notably, W32/Expiro-H does not create any registry keys. Instead, to achieve persistance, the infection routine ensures that it initially infects at least one executable file that already has a pre-existing RunKey associated.

If W32/Expiro-H attempts to infect SAV files, this will trigger

HIPS/FileWriteMod-003

Examples of W32/Expiro-H include:

Example 1

File Information

Size: 238K
SHA-1: 0000ab901cbfb66fd965cf9eaa930ee1fc4687bf
MD5: 9be50fe744523a0fee21e0f6c16069b1
CRC-32: 09d7dcd6
File type: Windows executable
First seen: 2011-04-26

Runtime Analysis

Dropped Files

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3E1B65FC-E440-45D2-A936-27A87D6B8E9E}.crmlog
Size
1.0M
SHA-1
207de5ac20f06303393f7644d77d0d2eb79e32ab
MD5
3a876ab8bd7b5f643f30d745e0097f95
CRC-32
62bcfbd4
File type
A ASCII/UTF-8 file with a very small filesize (too small to be malicious)
First seen
2011-04-26

Modified Files

%SYSTEM%\dllhost.exe
- Changed the file contents
%SYSTEM%\locator.exe
- Changed the file contents
%SYSTEM%\tlntsvr.exe
- Changed the file contents
%SYSTEM%\dmadmin.exe
- Changed the file contents
%SYSTEM%\smlogsvc.exe
- Changed the file contents
%SYSTEM%\msiexec.exe
- Changed the file contents
%SYSTEM%\netdde.exe
- Changed the file contents
%SYSTEM%\clipsrv.exe
- Changed the file contents
%SYSTEM%\rsvp.exe
- Changed the file contents
%SYSTEM%\msdtc.exe
- Changed the file contents
%SYSTEM%\alg.exe
- Changed the file contents
%SYSTEM%\wbem\wmiapsrv.exe
- Changed the file contents
%SYSTEM%\ups.exe
- Changed the file contents
%SYSTEM%\imapi.exe
- Changed the file contents
%SYSTEM%\mnmsrvc.exe
- Changed the file contents
%SYSTEM%\vssvc.exe
- Changed the file contents
%SYSTEM%\sessmgr.exe
- Changed the file contents
%SYSTEM%\cisvc.exe
- Changed the file contents
%SYSTEM%\spoolsv.exe
- Changed the file contents
%SYSTEM%\cmd.exe
- Changed the file contents
%SYSTEM%\scardsvr.exe
- Changed the file contents

Registry Keys Created

HKLM\SYSTEM\CurrentControlSet\Services\CiSvc\Enum
0
Root\LEGACY_CISVC\0000
HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum
0
Root\LEGACY_CLIPSRV\0000

Registry Keys Modified

HKLM\SYSTEM\CurrentControlSet\Services\dmadmin
Type
0x00000120
HKLM\SYSTEM\CurrentControlSet\Services\RSVP
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\MSIServer
Type
0x00000120
HKLM\SYSTEM\CurrentControlSet\Services\NetDDE
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\CiSvc
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\VSS
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\Spooler
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\ImapiService
Start
0x00000002

Processes Created

c:\windows\system32\cisvc.exe
c:\windows\system32\dllhost.exe

Example 2

File Information

Size: 447K
SHA-1: 00010c89b7f6973c2716351c244138b80cab0144
MD5: 58f7cfd05b7d9103162adeb09d29be3b
CRC-32: df9196f9
File type: Windows executable
First seen: 2011-04-20

Runtime Analysis

Dropped Files

c:\Documents and Settings\test user\Local Settings\Application Data\wsr18zt32.dll
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7B587C61-4829-4D0E-99D1-30381380DAE6}.crmlog
Size
1.0M
SHA-1
e7ddfae969a8b87f3ae2537af733e6f1eda755ba
MD5
4b6757d15325535962a3209fb9d398c0
CRC-32
57c56971
File type
A ASCII/UTF-8 file with a very small filesize (too small to be malicious)
First seen
2011-04-20

Modified Files

%SYSTEM%\tourstart.exe
- Changed the file contents
%PROGRAM FILES%\Windows Media Player\wmplayer.exe
- Changed the file contents
%SYSTEM%\dllhost.exe
- Changed the file contents
%SYSTEM%\netdde.exe
- Changed the file contents
%SYSTEM%\clipsrv.exe
- Changed the file contents
%SYSTEM%\narrator.exe
- Changed the file contents
%SYSTEM%\mobsync.exe
- Changed the file contents
%WINDOWS%\regedit.exe
- Changed the file contents
%PROGRAM FILES%\Outlook Express\msimn.exe
- Changed the file contents
%SYSTEM%\ups.exe
- Changed the file contents
%SYSTEM%\msdtc.exe
- Changed the file contents
%SYSTEM%\vssvc.exe
- Changed the file contents
%SYSTEM%\imapi.exe
- Changed the file contents
%SYSTEM%\sessmgr.exe
- Changed the file contents
%SYSTEM%\osk.exe
- Changed the file contents
%SYSTEM%\cisvc.exe
- Changed the file contents
%SYSTEM%\tlntsvr.exe
- Changed the file contents
%SYSTEM%\locator.exe
- Changed the file contents
%PROGRAM FILES%\Outlook Express\wab.exe
- Changed the file contents
%SYSTEM%\smlogsvc.exe
- Changed the file contents
%PROGRAM FILES%\notepadpp\notepad++.exe
- Changed the file contents
%SYSTEM%\msiexec.exe
- Changed the file contents
%SYSTEM%\dmadmin.exe
- Changed the file contents
%PROGRAM FILES%\Internet Explorer\iexplore.exe
- Changed the file contents
%SYSTEM%\magnify.exe
- Changed the file contents
%SYSTEM%\rcimlby.exe
- Changed the file contents
%SYSTEM%\alg.exe
- Changed the file contents
C:\bin\_PX.exe
- Changed the file contents
%SYSTEM%\rsvp.exe
- Changed the file contents
%SYSTEM%\utilman.exe
- Changed the file contents
%SYSTEM%\wbem\wmiapsrv.exe
- Changed the file contents
%SYSTEM%\mnmsrvc.exe
- Changed the file contents
%SYSTEM%\notepad.exe
- Changed the file contents
%SYSTEM%\spoolsv.exe
- Changed the file contents
%SYSTEM%\cmd.exe
- Changed the file contents
%SYSTEM%\scardsvr.exe
- Changed the file contents

Registry Keys Created

HKLM\SYSTEM\CurrentControlSet\Services\CiSvc\Enum
Count
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2103
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2103
0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\VSS\Enum
NextInstance
0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\ImapiService\Enum
0
Root\LEGACY_IMAPISERVICE\0000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
2103
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
2103
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2103
0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum
Count
0x00000001

Registry Keys Modified

HKLM\SYSTEM\CurrentControlSet\Services\NetDDE
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\VSS
Type
0x00000110
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1406
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1609
0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\Spooler
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\ImapiService
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\MSIServer
Type
0x00000120
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\RSVP
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc
Start
0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr
Start
0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1609
0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\CiSvc
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\dmadmin
Type
0x00000120

Processes Created

c:\windows\system32\cisvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\imapi.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\vssvc.exe

Example 3

File Information

Size: 192K
SHA-1: 00017c1f2fa87e03f3fd34da86e0bb32a06ee4c4
MD5: a5cb9c91da38046cbf81f50ae5d4d81f
CRC-32: 43457173
File type: Windows executable
First seen: 2012-03-27

Runtime Analysis

Dropped Files

c:\Documents and Settings\test user\Local Settings\Application Data\wsr24zt32.dll

Modified Files

%SYSTEM%\vssvc.exe
- Changed the file contents
%SYSTEM%\rsvp.exe
- Changed the file contents
%WINDOWS%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
- Changed the file contents
%PROGRAM FILES%\Outlook Express\wab.exe
- Changed the file contents
%SYSTEM%\charmap.exe
- Changed the file contents
%SYSTEM%\sol.exe
- Changed the file contents
%SYSTEM%\mshearts.exe
- Changed the file contents
%PROGRAM FILES%\Windows Media Player\wmplayer.exe
- Changed the file contents
%SYSTEM%\calc.exe
- Changed the file contents
%SYSTEM%\tlntsvr.exe
- Changed the file contents
%PROGRAM FILES%\notepadpp\notepad++.exe
- Changed the file contents
%SYSTEM%\smlogsvc.exe
- Changed the file contents
%SYSTEM%\mspaint.exe
- Changed the file contents
%SYSTEM%\mnmsrvc.exe
- Changed the file contents
%SYSTEM%\cleanmgr.exe
- Changed the file contents
%SYSTEM%\osk.exe
- Changed the file contents
%SYSTEM%\locator.exe
- Changed the file contents
%PROGRAM FILES%\Windows NT\Accessories\wordpad.exe
- Changed the file contents
%SYSTEM%\accwiz.exe
- Changed the file contents
%WINDOWS%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
- Changed the file contents
%SYSTEM%\sndrec32.exe
- Changed the file contents
%SYSTEM%\netdde.exe
- Changed the file contents
%WINDOWS%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
- Changed the file contents
%WINDOWS%\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
- Changed the file contents
%SYSTEM%\mstsc.exe
- Changed the file contents
%SYSTEM%\Restore\rstrui.exe
- Changed the file contents
%SYSTEM%\spider.exe
- Changed the file contents
%SYSTEM%\narrator.exe
- Changed the file contents
%SYSTEM%\mobsync.exe
- Changed the file contents
%PROGRAM FILES%\Outlook Express\msimn.exe
- Changed the file contents
%WINDOWS%\regedit.exe
- Changed the file contents
%SYSTEM%\clipsrv.exe
- Changed the file contents
%SYSTEM%\msdtc.exe
- Changed the file contents
%SYSTEM%\imapi.exe
- Changed the file contents
%WINDOWS%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
- Changed the file contents
%PROGRAM FILES%\Java\jre6\bin\jqs.exe
- Changed the file contents
%SYSTEM%\sessmgr.exe
- Changed the file contents
%SYSTEM%\usmt\migwiz.exe
- Changed the file contents
%SYSTEM%\ntbackup.exe
- Changed the file contents
%PROGRAM FILES%\Windows NT\Pinball\pinball.exe
- Changed the file contents
%SYSTEM%\cisvc.exe
- Changed the file contents
%SYSTEM%\rcimlby.exe
- Changed the file contents
%SYSTEM%\dmadmin.exe
- Changed the file contents
%SYSTEM%\magnify.exe
- Changed the file contents
%SYSTEM%\freecell.exe
- Changed the file contents
%SYSTEM%\msiexec.exe
- Changed the file contents
%SYSTEM%\winmine.exe
- Changed the file contents
%SYSTEM%\wbem\wmiapsrv.exe
- Changed the file contents
%SYSTEM%\utilman.exe
- Changed the file contents
%SYSTEM%\sndvol32.exe
- Changed the file contents
%SYSTEM%\odbcad32.exe
- Changed the file contents
%SYSTEM%\alg.exe
- Changed the file contents
%WINDOWS%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
- Changed the file contents
%SYSTEM%\scardsvr.exe
- Changed the file contents
%SYSTEM%\spoolsv.exe
- Changed the file contents
%SYSTEM%\cmd.exe
- Changed the file contents

Registry Keys Created

HKLM\SYSTEM\CurrentControlSet\Services\CiSvc\Enum
0
Root\LEGACY_CISVC\0000
HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum
0
Root\LEGACY_CLIPSRV\0000

Registry Keys Modified

HKLM\SYSTEM\CurrentControlSet\Services\idsvc
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\NetDDE
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\dmadmin
Type
0x00000120
HKLM\SYSTEM\CurrentControlSet\Services\VSS
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\Spooler
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\clr_optimization_v4.0.30319_32
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\ImapiService
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\swi_update
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\JavaQuickStarterService
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\MSIServer
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\SAVAdminService
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\RSVP
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\CiSvc
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\swi_service
Start
0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service
Type
0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv
Start
0x00000002

Processes Created

c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\cisvc.exe
c:\windows\system32\dmadmin.exe

Try Sophos products for free
Download now

Security Goals

INDUSTRIES & SECTORS

COMPANY SIZE

PRODUCT FEATURES

CASE STUDIES

Company Overview

Our People

INNOVATIVE TECHNOLOGY

ALERT SERVICES

Product Features

Product Families

Complete Security

PRODUCTS BY NAME

Free Tools

Next Steps

RESOURCES

FIND AN ANSWER

Support by Product

Maintain your Product

Hire an Expert

WHAT'S POPULAR

THREAT ANALYSIS

THREAT STATISTICS

WHAT'S POPULAR

Threat Definitions

THREAT MONITORING

SECURITY HUBS

LIBRARY

Whats Popular

WHAT'S NEW

Community

IT SECURITY TRAINING

ANATOMY OF AN ATTACK

RESELLER PARTNERS

Managed Service Providers

SYSTEM INTEGRATORS

OEM and Technology

WHAT'S POPULAR

W32/Expiro-H

Example 1

File Information

Runtime Analysis

Dropped Files

Modified Files

Registry Keys Created

Registry Keys Modified

Processes Created

Example 2

File Information

Runtime Analysis

Dropped Files

Modified Files

Registry Keys Created

Registry Keys Modified

Processes Created

Example 3

File Information

Runtime Analysis

Dropped Files

Modified Files

Registry Keys Created

Registry Keys Modified

Processes Created

Free Mac Anti-Virus

Popular topics