W32/ExpiroMem-A

Category: Viruses and Spyware Protection available since:17 Jul 2013 16:50:13 (GMT)
Type: Win32 executable file virus Last Updated:17 Jul 2013 16:50:13 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of W32/ExpiroMem-A include:

Example 1

File Information

Size
564K
SHA-1
26faba5f4909235ef7bc03560375aa0e77dffdc3
MD5
a2350d98aa93e183a44700192adc26fc
CRC-32
9b154c8d
File type
Windows executable
First seen
2013-07-11

Other vendor detection

Avira
TR/Meredrop.A.7855

Runtime Analysis

Modified Files
  • %SYSTEM%\mobsync.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
    • Changed the file contents
  • %PROGRAM FILES%\notepadpp\notepad++.exe
    • Changed the file contents
  • %SYSTEM%\tlntsvr.exe
    • Changed the file contents
  • %SYSTEM%\spoolsv.exe
    • Changed the file contents
  • %WINDOWS%\regedit.exe
    • Changed the file contents
  • %SYSTEM%\cmd.exe
    • Changed the file contents
  • %WINDOWS%\Temp\Sophos Web Intelligence Install.log
    • Changed the file contents
  • %PROGRAM FILES%\Java\jre6\bin\jqs.exe
    • Changed the file contents
  • %SYSTEM%\smlogsvc.exe
    • Changed the file contents
  • %SYSTEM%\cisvc.exe
    • Changed the file contents
  • %SYSTEM%\imapi.exe
    • Changed the file contents
  • %SYSTEM%\narrator.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    • Changed the file contents
  • %SYSTEM%\msiexec.exe
    • Changed the file contents
  • %SYSTEM%\sessmgr.exe
    • Changed the file contents
  • %SYSTEM%\netdde.exe
    • Changed the file contents
  • %SYSTEM%\vssvc.exe
    • Changed the file contents
  • %SYSTEM%\clipsrv.exe
    • Changed the file contents
  • %PROGRAM FILES%\Outlook Express\wab.exe
    • Changed the file contents
  • %SYSTEM%\locator.exe
    • Changed the file contents
  • %SYSTEM%\scardsvr.exe
    • Changed the file contents
  • %SYSTEM%\mnmsrvc.exe
    • Changed the file contents
  • %SYSTEM%\magnify.exe
    • Changed the file contents
  • %SYSTEM%\alg.exe
    • Changed the file contents
  • %PROGRAM FILES%\Outlook Express\msimn.exe
    • Changed the file contents
  • %SYSTEM%\wbem\wmiapsrv.exe
    • Changed the file contents
  • %SYSTEM%\osk.exe
    • Changed the file contents
  • %SYSTEM%\dmadmin.exe
    • Changed the file contents
  • %PROGRAM FILES%\Windows Media Player\wmplayer.exe
    • Changed the file contents
  • %SYSTEM%\utilman.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    • Changed the file contents
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr\Enum
    NextInstance
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\NtLmSsp\Enum
    NextInstance
    0x00000001
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\CiSvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\swi_service
    Start
    0x00000002
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Personal
  • HKLM\SYSTEM\CurrentControlSet\Services\swi_update
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv
    Type
    0x00000110
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Personal

Example 2

File Information

Size
529K
SHA-1
b9ddccb22677f659973275ef2b31e50ca870245b
MD5
432015a84eec6f9993aadacf0d5a71ce
CRC-32
38b5abaa
File type
Windows executable
First seen
2013-07-05

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\wsr28zt32.dll
Modified Files
  • %SYSTEM%\vssvc.exe
    • Changed the file contents
  • %SYSTEM%\sessmgr.exe
    • Changed the file contents
  • %SYSTEM%\mnmsrvc.exe
    • Changed the file contents
  • %SYSTEM%\mobsync.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
    • Changed the file contents
  • %SYSTEM%\imapi.exe
    • Changed the file contents
  • %PROGRAM FILES%\Outlook Express\msimn.exe
    • Changed the file contents
  • %PROGRAM FILES%\Java\jre6\bin\jqs.exe
    • Changed the file contents
  • %SYSTEM%\utilman.exe
    • Changed the file contents
  • %SYSTEM%\scardsvr.exe
    • Changed the file contents
  • %SYSTEM%\osk.exe
    • Changed the file contents
  • %SYSTEM%\cmd.exe
    • Changed the file contents
  • %SYSTEM%\cisvc.exe
    • Changed the file contents
  • %SYSTEM%\spoolsv.exe
    • Changed the file contents
  • %SYSTEM%\wbem\wmiapsrv.exe
    • Changed the file contents
  • %SYSTEM%\msiexec.exe
    • Changed the file contents
  • %SYSTEM%\locator.exe
    • Changed the file contents
  • %SYSTEM%\tlntsvr.exe
    • Changed the file contents
  • %SYSTEM%\alg.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    • Changed the file contents
  • %PROGRAM FILES%\Windows Media Player\wmplayer.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    • Changed the file contents
  • %SYSTEM%\smlogsvc.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    • Changed the file contents
  • %SYSTEM%\netdde.exe
    • Changed the file contents
  • %SYSTEM%\dmadmin.exe
    • Changed the file contents
  • %SYSTEM%\narrator.exe
    • Changed the file contents
  • %SYSTEM%\magnify.exe
    • Changed the file contents
  • %SYSTEM%\clipsrv.exe
    • Changed the file contents
  • %PROGRAM FILES%\Outlook Express\wab.exe
    • Changed the file contents
  • %WINDOWS%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    • Changed the file contents
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv\Enum
    NextInstance
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    2103
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc\Enum
    NextInstance
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    2103
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\CiSvc\Enum
    NextInstance
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    2103
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    2103
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    2103
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\idsvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Start
    0x00000004
  • HKLM\SYSTEM\CurrentControlSet\Services\NetDDE
    Type
    0x00000120
  • HKLM\SYSTEM\CurrentControlSet\Services\VSS
    Type
    0x00000110
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\JavaQuickStarterService
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\Spooler
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\dmadmin
    Start
    0x00000002
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\ClipSrv
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\clr_optimization_v4.0.30319_32
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\swi_update
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\swi_service
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32
    Type
    0x00000110
  • HKLM\SYSTEM\CurrentControlSet\Services\CiSvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\MSIServer
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\Sophos AutoUpdate Service
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\ImapiService
    Start
    0x00000002
Processes Created
  • c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
  • c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
  • c:\windows\system32\cisvc.exe
  • c:\windows\system32\dmadmin.exe

download Try Sophos products for free
Download now