Latest Virus



W32/Expiro.A is a file-infecting virus and worm that spreads by infecting executable files on all mapped drives. Vint.D may attempt to steal sensitive information. Expiro.A is a Windows executable file infecting virus. It is also capable of stealing credit card information gathered from the affected machine. W32/Expiro.A creates the mutex “kkq-vx_mtx1″ so that only one instance of the malicious thread is actively executing on the system at a time. Malicious threads in other running applications remain dormant but continue to run and monitor the mutex; if Vint.D’s current host application is closed, any other running infected application creates the mutex and becomes the ‘active’ Vint.D thread on the system.W32/Expiro.A may attempt to steal credit card information from the compromised machine.Virus:W32/Expiro.A also Alias: W32/Expiro, PE_EXPIRO.A, Expiro.A, W32.Kakavex, Virus.Win32.Expiro.a, W32/Expiro.A

Infected files grow in size and four additional sections are appended at the end of each file. The following describes the appended section details which includes the name, virtual size and physical size, respectively.

.data 00020000 0000EA00
.text 0000AD40 0000AD40
.bss 00005BD8 00000000
.data 00001A00 00001A00

Expiro.A creates a duplicate file alongside of infected files named with an .IVR extension. This identifies files it has already infected.

Example:
c:window\system32\notepad.exe
c:window\system32\notepad.ivr
This virus steals credit card information via a keylogger scheme. While the virus is active in memory, it monitors and logs credit card information and steals user input data that may be triggered when browsing one of these sites:
53bank.com
banking.halifax-online.co.uk
barclays.com
chechenpress.info
crutop.nu
ebay.com
goldpoll.com
goldpoll.com
goldpoll.com
intgold.com
kavkazcenter.com
kgbrelaxclub.ru
kidos-bank.ru
master-x.com
myonlineaccounts2.abbeynational.co.uk
new.egg.com
olb2.nationet.com
online-business.lloydstsb.co.uk
openbank.com
paypal.com
seclab.ru
securitylab.ru
stormpay.com
tat-neftbank.ru
totallyfreebanking.com
welcome3.smile.co.uk
www.allahabadbank.com
www.b2b-trust.com
www.bank-banque-canada.ca
www.bankofindia.com
www.bankofmadura.com
www.bbin.ru
www.bmo.com
www.candidateverifier.com
www.cbr.ru
www.cibc.com
www.cwbank.com
www.icbank.ru
www.kmb.ru
www.lbcdirect.laurentianbank.ca
www.mmbank.ru
www.nbc.ca
www.netmagister.com
www.ponziscams.com
www.ponziscams.com
www.ponziscams.com
www.ponziscams.com
www.ponziscams.com
www.ponziscams.com
www.ponziscams.com
www.rbc.com
www.socks.ac
www.uniastrum.ru
www.vendorsname.ws
www.vendorsname.ws
www.vendorsname.ws
www.vendorsname.ws
www.vtb.ru
www.worldbank.org
www1.hsbc.ca
yambo.biz
Expiro.A creates the following mutex when it is running and active in memory:
kkq-vx_mtx1

Tags: W32/Expiro.A

Need help? Post you problem on Free Malware Remove Help forum

W32/Expiro.A Summary

Virus Name:W32/Expiro.A

Detected By:Norman antivirus program

Virus W32/Expiro.A Detected times:236041times

W32/Expiro.A Overall Risk:Medium 736042

W32/Expiro.A file size:3660420 bytes

W32/Expiro.Awas first Detected by Norman on Sunday, August 31st, 2008 , 8:45 am,W32/Expiro.A is a new threats of Hacking,Malware,Spam,worm.

Remove W32/Expiro.A instruction:

1.Temporarily Disable System Restore;2.Reboot computer in SafeMode;3.delte W32/Expiro.A virus files and kill W32/Expiro.A file task process(if have);4.Delete/Modify any values added to the registry by W32/Expiro.A ;5.delete IE temp files,restart the computer and run a whole scan with Norman. W32/Expiro.A virus files as following: