Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Expiro.E
Date discovered:18/04/2011
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
VDF version:7.11.06.168 - Monday, April 18, 2011
IVDF version:7.11.06.168 - Monday, April 18, 2011

 General Method of propagation:
   • Infects files


Aliases:
   •  Kaspersky: Virus.Win32.Expiro.w
   •  F-Secure: Virus.Win32.Expiro.w
   •  Bitdefender: Backdoor.Generic.630828
   •  Grisoft: Win32/Expiro.O
   •  Eset: Win32/Expiro.T virus
   •  DrWeb: Win32.Expiro.23


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Infects files
   • Registry modification

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.
– The following section is added to the infected file:
   • UPX0


Method:

This direct-action infector actively searches for files.


Infection length:

- 110.592 Bytes


The following file is infected:

By file type:
   • Windows Executable File(exe)

 Registry The following registry keys are changed:

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000
   • "2103"=dword:00000000

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   Old value:
   • "1406"=dword:00000001
   • "1609"=dword:00000001
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000
   • "2103"=dword:00000000

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000
   • "2103"=dword:00000000

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   Old value:
   • "1406"=dword:00000003
   • "1609"=dword:00000001
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000
   • "2103"=dword:00000000

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   Old value:
   • "1406"=dword:00000003
   • "1609"=dword:00000001
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000
   • "2103"=dword:00000000

Description inserted by Szewee Tan on Wednesday, April 20, 2011
Description updated by Szewee Tan on Wednesday, April 20, 2011

Back . . . .