Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Expiro Infection


  • Please log in to reply
5 replies to this topic

#1 bullet183

bullet183

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 04 March 2015 - 05:09 AM

I have a laptop that is badly infected with 'Expiro Virus' (NOT the laptop I am using right now) I understand this is a severe infection and the only remedy is to reformat and reinstall a clean OS. My question is, how safe is my data? ie documents, music, pictures/videos?

 

Any help is appreciated


Edited by hamluis, 04 March 2015 - 07:39 AM.
Moved from Win 7 to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:20 AM

Posted 04 March 2015 - 05:49 AM

Hello there, and :welcome: to BC!

Information about Expiro from Microsoft Malware Protection Center:

Virus:Win32/Expiro.CD infects .exe files and files referenced by shortcut (.lnk) files. It looks for .exe files that are:

Registered as services
Found in the Programs folder in the Start Menu
Found on your PC desktop
Located in %LOCALAPPDATA%
It infects both 32-bit and 64-bit .exe files. Infected 64-bit files are detected as Virus:Win64/Expiro.I.

It also infects all .exe files found in drives C to Z.

The virus also disables Windows File Protection to infect protected files.

It appears to be a file infector similar to Virut, Ramnit or Sality.

If that's the case, then your documents, music, pictures and videos should be safe as they are not targeted by Expiro.

Be careful and do not backup any executable files at all, as they are probably already infected. Your best bet is to use a live Linux CD and retrieve your files from there, instead of booting into the infected OS.

Hope this helps.

Regards,
Alex

#3 bullet183

bullet183
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 04 March 2015 - 06:07 AM

Many thanks Alex - my knight in shining armor :love4u:



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:20 AM

Posted 04 March 2015 - 06:12 AM

You're welcome :)

#5 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 AM

Posted 10 March 2015 - 10:12 AM

hi bullet183 you can use this avg expiro at first : )


:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:20 AM

Posted 10 March 2015 - 10:45 AM

File infectors can cause so much damage to critical system files that they cannot be completely cleaned or repaired. I do not know of any security vendor who will guarantee complete removal of file infectors since they cannot ensure that some files will not get corrupted during the disinfection process. This means that infected executables and system files can become unusable after attempting to repair them and afterward, there is still no guarantee the virus is really gone. Since many of the affected files are legitimate critical files required by the operating system, deletion is not a viable option. Even many anti-virus vendors admit that some malicious programs like file infectors cannot be properly disinfected by their products.
 

File infector viruses are the 'classic' form of virus, those to which the term is most commonly and, along with boot sector viruses, most appropriately applied. When an infectious file is executed on a system, the infection routine will seek out other files and insert its code into them, generally at the beginning or end of the existing file (prepending or appending viruses), but also occasionally in the middle of the file (mid-infector) or spreading itself across gaps in the file structure. The entry point of the file is redirected to the start of the virus code to ensure that it is run when the file is executed, and control may or may not be passed on to the original program in turn. File infector viruses often misinfect, either leaving the file completely non-functional or simply failing to run the viral code at all. More sophisticted forms of file infector virus, which try to hide their presence by changing aspects of their code with each infection, are known as polymorphic or metamorphic viruses.

What is a file infector

 

File infectors are not on the top of their popularity nowadays (theres not a wide variety of them ITW, but the few active such as Sality or Virut are difficult to defeat). One reason is the frequency of their updates and the complexity of their polymorphism, another reason is the fact, that these viruses are not perfectly tuned. If the file infector should be successful (and transparent to the normal system behavior), it simply should not produce corrupted files (the process crashes will quickly point out whats going on). I will show you some examples of bugs in file infectors (below in this article). The problem is that these bugs often make the infected binaries uncurable...

avast: Buggy file infectors

 

...You can see some tools claiming theyre able to clean even the most complex infections, but believe me, theres no guarantee to restore the system to its original state. A cleaned file (in my opinion) means a file that has no malicious functionality and does not contain any (even inactive) traces of the infection. My daily practice offers me many files cleaned from the Virut infection with some 3rd party tools, but they still contain significant parts of the infection and are thus detected by our engine....

avast: File infectors part 2

 

...it is quite interesting to look at modern day polymorphic viruses and whether their propensity to junk files is wholly by accident or whether there is the occassional element of intent involved...a mass infection that leaves behind a large number of irreparably corrupt files can still be very damaging. Some members of the Virut/Vetor family will randomly choose not to leave an infection marker after infection. This leaves the way open to multiple infections (more headaches for anti virus companies) but also increases the chances that the end file will be corrupt...

Sophos: To Junk Or Not To Junk

 

...In many cases, files cannot simply be deleted as this would affect the stability or even basic functionality of the operating system and other software. Instead, the infected host program must be disinfected by removing the virus code from it and by carefully restoring the original contents and file structure if possible. This means detection and removal are still an issue for antivirus software....

Avira: Cleaning polymorphic infected files

 

...for infected users we have to offer no hope - fdisk - format and re-install is the only solution open to them...

avast: a file infector and why we cannot give false hope!

 

...it injects its code into running processes...The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files...unfortunately, some infections are corrupted beyond repair.

McAfee: polymorphic infector

 

The suggestions in this article are not intended to 100% guarantee removal of all threats...The file infector employs a technique to make sure its corrupted .DLL format will replace the targeted extensions found within the system. When the computer is rebooted it incidentally boots the infected file and continues its advancement throughout the system...

Norton (Symantec): File infector

 

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files...it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. Undetected, corrupted files (possibly still containing part of the viral code) can also be found. This is caused by incorrectly written and non-function viral code present in these files.

AVG: polymorphic infector

 

...you can try via rescue cd, or slave mounted hard drive. but there's no guarantee that some files won't get corrupted through the disinfection process.

Kaspersky: file infector

There are no guarantees or shortcuts when it comes to malware removal and dealing with file infectors as severity of damage will vary. In my experience, users may find their system performing better for a short time after attempted disinfection only to have it become progressively worst again as the malware continues to reinfect thousands of files. Some folks will try every tool or rescue disk they can find in futile attempts to repair critical system files. If something goes awry during the malware removal process the computer may become unstable or unbootable and you could loose access to all your data. In the end most folks end up reformatting out of frustration after spending hours (and days) attempting to repair and remove the infected files.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users