Home / malware Virus:Win32/Expiro.CD
First posted on 05 August 2014.
Source: MicrosoftAliases :
There are no other names known for Virus:Win32/Expiro.CD.
Explanation :
Threat behavior
Installation
Virus:Win32/Expiro.CD infects .exe files and files referenced by shortcut (.lnk) files. It looks for .exe files that are:
- Registered as services
- Found in the Programs folder in the Start Menu
- Found on your PC desktop
- Located in %LOCALAPPDATA%
It infects both 32-bit and 64-bit .exe files. Infected 64-bit files are detected as Virus:Win64/Expiro.I.
It also infects all .exe files found in drives C to Z.
The virus also disables Windows File Protection to infect protected files.
Payload
Steals sensitive information
Virus:Win32/Expiro.CD collects the following information from your PC and sends it to a malicious hacker:
- Installed certificates
- Credentials stored by FileZilla
- Credentials stored by Windows Protected Storage
- Credentials entered by users in different windows, for example, in Internet Explorer
Connects to a server for more commands
Virus:Win32/Expiro.CD is able to connect to a server and receive commands from a malicious hacker.
It can perform any of the following actions, based on the commands of the remote attacker:
- Disable your antimalware protection
- Collect and upload your user credentials
- Terminate the malware process
- Download other malware
It also sends information about your PC every time it connects to the remote server. This includes your PC:
- OS version information
- Windows Product ID
- Locale
- Volume serial number of drive C
Uninstall security software
Virus:Win32/Expiro.CD tries to uninstall your security software, including Microsoft Security Essentials and System Center Endpoint Protection.
Analysis by Chun Feng
Symptoms
Alerts from your security software may be the only symptom.
Last update 05 August 2014
