W32/Expiro-R

Category: Viruses and Spyware Protection available since:18 Dec 2013 21:56:22 (GMT)
Type: Win32 executable file virus Last Updated:18 Dec 2013 21:56:22 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Expiro-R exhibits the following characteristics:

File Information

Size
569K
SHA-1
8b27bfebe96f8e42050912bc80ec550a1f4f11f7
MD5
fa57a5832b5b35433aa0e8d2071234c9
CRC-32
332a70f1
File type
Windows executable
First seen
2013-12-18

Other vendor detection

Avira
TR/Crypt.ZPACK.39402

Runtime Analysis

Modified Files
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    • Changed the file contents
  • %PROGRAM FILES%\Outlook Express\msimn.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
    • Changed the file contents
  • %PROGRAM FILES%\Java\jre6\bin\jqs.exe
    • Changed the file contents
  • %SYSTEM%\tlntsvr.exe
    • Changed the file contents
  • %SYSTEM%\clipsrv.exe
    • Changed the file contents
  • %SYSTEM%\locator.exe
    • Changed the file contents
  • %SYSTEM%\sessmgr.exe
    • Changed the file contents
  • %SYSTEM%\magnify.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    • Changed the file contents
  • %SYSTEM%\utilman.exe
    • Changed the file contents
  • %SYSTEM%\cmd.exe
    • Changed the file contents
  • %SYSTEM%\smlogsvc.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    • Changed the file contents
  • %PROGRAM FILES%\Outlook Express\wab.exe
    • Changed the file contents
  • %SYSTEM%\wbem\wmiapsrv.exe
    • Changed the file contents
  • %SYSTEM%\cisvc.exe
    • Changed the file contents
  • %SYSTEM%\dmadmin.exe
    • Changed the file contents
  • %SYSTEM%\vssvc.exe
    • Changed the file contents
  • %SYSTEM%\narrator.exe
    • Changed the file contents
  • %SYSTEM%\mobsync.exe
    • Changed the file contents
  • %SYSTEM%\msiexec.exe
    • Changed the file contents
  • %SYSTEM%\netdde.exe
    • Changed the file contents
  • %SYSTEM%\imapi.exe
    • Changed the file contents
  • %SYSTEM%\osk.exe
    • Changed the file contents
  • %SYSTEM%\alg.exe
    • Changed the file contents
  • %SYSTEM%\scardsvr.exe
    • Changed the file contents
  • %SYSTEM%\spoolsv.exe
    • Changed the file contents
  • %SYSTEM%\mnmsrvc.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    • Changed the file contents
  • %PROGRAM FILES%\Windows Media Player\wmplayer.exe
    • Changed the file contents
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr\Enum
    NextInstance
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc\Enum
    NextInstance
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum
    NextInstance
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\CiSvc\Enum
    NextInstance
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\idsvc\Enum
    NextInstance
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\ImapiService\Enum
    NextInstance
    0x00000001
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\swi_update
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\dmadmin
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\swi_service
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\VSS
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\ImapiService
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\MSIServer
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\idsvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\NetDDE
    Type
    0x00000120
  • HKLM\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\JavaQuickStarterService
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\CiSvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\Spooler
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\clr_optimization_v4.0.30319_32
    Type
    0x00000110
Processes Created
  • c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
  • c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
  • c:\windows\system32\cisvc.exe
  • c:\windows\system32\imapi.exe
  • c:\windows\system32\mnmsrvc.exe

download Try Sophos products for free
Download now