Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Expiro Virus

  • Please log in to reply
1 reply to this topic

#1 AiyannaRose


  • Members
  • 1 posts
  • Local time:01:22 AM

Posted 13 September 2013 - 02:06 AM

I have a random question. I just had a lovely run in with the expiro virus, (managed to remove it using safe mode and a system restore) and I was wondering how does that virus infect and how can you tell if it's infected you? I have a firewall, Avg, and I'm extremely careful when downloading. I think it was attached to adobe, if that's even possible.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,932 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:22 AM

Posted 13 September 2013 - 07:34 AM

Expiro (Win32/Expiro) is a dangerous family of polymorphic file infectors which encrypts its code differently with each infection...meaning that the viral code inserted into each infected file is unique. Typically the virus infects executable files with .exe extensions in all drives, and steals user login credentials which it sends back to the attacker. It also allows backdoor access and control to the infected computer, lowers Internet Explorer settings and includes functionality to inject malicious code into web pages visited.

File Infector EXPIRO Hits US, Steals FTP Credentials

This attack used exploit kits (in particular Java and PDF exploits) to deliver file infectors onto vulnerable systems. Interestingly, these file infectors have information theft routines, which is a behavior not usually found among file infectors. These malware are part of PE_EXPIRO family, file infectors that was first spotted spotted in 2010. In addition to standard file infection routines, the variants seen in this attack also have information theft routines, an uncommon routine for file infectors.


The virus infects all .exe files (32-bit and 64-bit) on the compromised computer and also on mapped or removable drives (C to Z).

The virus may install Firefox or Chrome extensions and perform the following actions:
• monitor browser activity
• redirect users to malicious URLs

The virus may steal the following information from the compromised computer:
• Language
• Product IDs
• System volume information
• Windows system information
• Email addresses
• Passwords
• Online banking information, including account numbers

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users