Threat Description

Virus: ​W32/Expiro.A

Details

Category: Malware
Type: Virus
Platform: W32
Aliases: W32/Expiro, PE_EXPIRO.A, Expiro.A, W32.Kakavex, Virus.Win32.Expiro.a, W32/Expiro.A

Summary


Expiro.A is a Windows executable file infecting virus. It is also capable of stealing credit card information gathered from the affected machine.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Expiro.A is a Windows executable file infecting virus. It is also capable of stealing credit card information gathered from the affected machine. Upon execution, this virus recursively looks for link files (.LNK) inside drives C: to Z: starting from the root directory and subdirectories and tries to infect the link's target Windows executable. Infected files grow in size and four additional sections are appended at the end of each file. The following describes the appended section details which includes the name, virtual size and physical size, respectively.

  • .data 00020000 0000EA00
  • .text 0000AD40 0000AD40
  • .bss 00005BD8 00000000
  • .data 00001A00 00001A00

Expiro.A creates a duplicate file alongside of infected files named with an .IVR extension. This identifies files it has already infected. Example:

  • %windir%\system32\notepad.exe %windir%\system32\notepad.ivr

This virus steals credit card information via a keylogger scheme. While the virus is active in memory, it monitors and logs credit card information and steals user input data that may be triggered when browsing one of these sites:

  • 53bank.com
  • banking.halifax-online.co.uk
  • barclays.com
  • chechenpress.info
  • crutop.nu
  • ebay.com
  • goldpoll.com
  • goldpoll.com
  • goldpoll.com
  • intgold.com
  • kavkazcenter.com
  • kgbrelaxclub.ru
  • kidos-bank.ru
  • master-x.com
  • myonlineaccounts2.abbeynational.co.uk
  • new.egg.com
  • olb2.nationet.com
  • online-business.lloydstsb.co.uk
  • openbank.com
  • paypal.com
  • seclab.ru
  • securitylab.ru
  • stormpay.com
  • tat-neftbank.ru
  • totallyfreebanking.com
  • welcome3.smile.co.uk
  • www.allahabadbank.com
  • www.b2b-trust.com
  • www.bank-banque-canada.ca
  • www.bankofindia.com
  • www.bankofmadura.com
  • www.bbin.ru
  • www.bmo.com
  • www.candidateverifier.com
  • www.cbr.ru
  • www.cibc.com
  • www.cwbank.com
  • www.icbank.ru
  • www.kmb.ru
  • www.lbcdirect.laurentianbank.ca
  • www.mmbank.ru
  • www.nbc.ca
  • www.netmagister.com
  • www.ponziscams.com
  • www.ponziscams.com
  • www.ponziscams.com
  • www.ponziscams.com
  • www.ponziscams.com
  • www.ponziscams.com
  • www.ponziscams.com
  • www.rbc.com
  • www.socks.ac
  • www.uniastrum.ru
  • www.vendorsname.ws
  • www.vendorsname.ws
  • www.vendorsname.ws
  • www.vendorsname.ws
  • www.vtb.ru
  • www.worldbank.org
  • www1.hsbc.ca
  • yambo.biz

Expiro.A creates the following mutex when it is running and active in memory:

  • kkq-vx_mtx1


Detection


F-Secure Anti-Virus detects this malware with the following updates:

Detection Type: PC
Database: 2007-03-12_01



Description Created: 2007-03-13 14:40:21.0

Description Last Modified: 2007-03-15 15:34:12.0


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More