Virus:WinNT/Expiro

#12219 by rkhunter
Mon Mar 19, 2012 12:57 pm

Virus:Win32/Expiro.AX

MD5: 5421DC4A41E3BF3840E1EE03E3EDD2F7
https://www.virustotal.com/file/9b0a600 ... /analysis/

Attachments

5421DC4A41E3BF3840E1EE03E3EDD2F7.zip

pass:infected
(127.18 KiB) Downloaded 233 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Expiro

#15017 by Aleksandra
Sun Aug 05, 2012 6:47 am

MD5: 6ad655563c28c36f90a009ac78feaab1
SHA1: 37d8e65b7109a28d3cb253829bdb0f5decbf96d9
12/41

Infected files attached.

Attachments

quarantine.zip

pass: virus
(1.25 MiB) Downloaded 155 times

Username

Aleksandra

Posts

79

Joined

Sun Jun 05, 2011 9:34 pm

Re: Virus:Win32/Expiro

#18717 by EP_X0FF
Wed Mar 27, 2013 6:34 am

Win32/Expiro.BD in attach.

SHA256: 1a0e3a6ec64bc1a7301f113c797e6620feda24030f5037214cc1d2f000354d4e
SHA1: cf95e3a56836285fa8a3f5408ef23108de9d8d77
MD5: 195deba36bc846f4f6b29cf86862b565

https://www.virustotal.com/en/file/1a0e ... 364365902/

Refer to encyclopedia entry for more info.

Attachments

cf95e3a56836285fa8a3f5408ef23108de9d8d77.rar

pass: malware
(130.75 KiB) Downloaded 111 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

W64.Xpiro

#20186 by rkhunter
Sun Jul 21, 2013 12:23 pm

aka Win64/Expiro.A

http://www.symantec.com/security_respon ... 99&tabid=2
http://blog.trendmicro.com/trendlabs-se ... edentials/

infected Wmiprvse.exe [6.2.9200.16398 / WMI Provider Host] in attach

Attachments

a82b46502a12a1bfe7f7e29ddd4ccb81.zip

pass:infected
(450.74 KiB) Downloaded 127 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Virus:WinNT/Expiro

#20294 by Blaze
Wed Jul 31, 2013 7:46 am

Versatile and infectious: Win64/Expiro is a cross-platform file infector
http://www.welivesecurity.com/2013/07/3 ... -infector/

Win64/Expiro.A - 469fcc15b70cae06f245cec8fcbf50f7c55dcc4b
Win32/Expiro.NBF - 9818d4079b9cb6b8a3208edae0ac7ad61a85d178

Attachments

files.zip

(1.56 MiB) Downloaded 120 times

Username

Blaze

Posts

198

Joined

Fri Aug 27, 2010 7:35 am

Contact

Re: Virus:WinNT/Expiro

#20354 by Cody Johnston
Sat Aug 03, 2013 1:12 am

Expiro infected powercfg.exe

MD5: 2b37446d6cc0bb88321488c567c30f5f

https://www.virustotal.com/en/file/c12d ... 375491855/

Attachments

powercfg.zip

Password: infected
(299.44 KiB) Downloaded 97 times

Username

Cody Johnston

Posts

157

Joined

Sun May 01, 2011 4:33 pm

Location

Los Angeles, CA

Contact

Re: Virus:WinNT/Expiro

#20390 by Cody Johnston
Mon Aug 05, 2013 7:21 pm

This is likely the dropper for the file posted above:

3/46

MD5: 4928fa5ed61c213b66ae8036a96037d1

https://www.virustotal.com/en/file/4b45 ... /analysis/

Does anyone know of a working removal tool for this variant? The AVG remover is not working as expected.

Attachments

mute.zip

Password: infected
(128.69 KiB) Downloaded 91 times

Username

Cody Johnston

Posts

157

Joined

Sun May 01, 2011 4:33 pm

Location

Los Angeles, CA

Contact

Re: Virus:WinNT/Expiro

#20547 by K_Mikhail
Tue Aug 20, 2013 7:13 pm

hxxp:// walzpainting.com / gaz.exe from Malc0de links (infected \drwtsn32.exe)

https://www.virustotal.com/ru/file/16bb ... 377021758/

Attachments

gaz.7z

pass:virus
(268.15 KiB) Downloaded 77 times

Username

K_Mikhail

Posts

41

Joined

Tue Apr 13, 2010 4:13 pm

Re: Virus:WinNT/Expiro

#20876 by Mosh
Fri Sep 20, 2013 3:53 pm

Win32/Expiro and Postbank phishing site on 178.211.45.186 (Turkey)

SHA256: 2594b3b280d60bb7d19687de48bca90b260c4ad13171f6ecb67f5968eab024b5
SHA1: 5649d1dc81eba450cec8f67b10232718ee0add8f
MD5: 4d6d41cf255d73e278ed2eef43432fc3
File size: 574.0 KB ( 587776 bytes )
File name: usbhost.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 27 / 48
https://www.virustotal.com/en/file/2594 ... 379690433/

Postbank site: http://urlquery.net/report.php?id=5625934

Attachments

usbhost.zip

infected
(312.63 KiB) Downloaded 80 times

nyxbone.com
Twitter: @nyxbone

Username

Mosh

Posts

29

Joined

Thu Oct 06, 2011 4:10 pm

Location

Colombia

Contact

Re: Virus:WinNT/Expiro

#20887 by Cody Johnston
Fri Sep 20, 2013 11:21 pm

All these found on the same PC yesterday. Includes Expiro, Buzus and Symmi.

Expiro

SHA256: 537787a529c820dbafa3ce43e93f4a1c12f0d957e86d691285afe7ae8ca36b8a
SHA1: be9e892b38698bc6e1b4dee946f15e984d72e2a0
MD5: f2601abb1c460023658a2e6d357efb42
Detection ratio: 32 / 48

https://www.virustotal.com/en/file/5377 ... 379624778/

Buzus

SHA256: 4576b2c909a9a4c06aa64846769d6f62e845235c3ac4af793b3a5b5c5f76a873
SHA1: 2270b7859a6309d23bf6d816a8bca4ff43e353c0
MD5: 17866d1d370ef87d631817c93939ebff
Detection ratio: 20 / 46

https://www.virustotal.com/en/file/4576 ... /analysis/

Symmi

SHA256: 4cb4d564303baabdbaa2a9ea0bb1ce542b3498882a4695bf4de8226da2883503
SHA1: 10051817a0e164f8724330ae1dd3e1133dcb1753
MD5: 6308daca641d6314d0751e906a596519
Detection ratio: 6 / 48

https://www.virustotal.com/en/file/4cb4 ... /analysis/

Attachments

Sample.zip

Password: infected
(802.33 KiB) Downloaded 83 times

Username

Cody Johnston

Posts

157

Joined

Sun May 01, 2011 4:33 pm

Location

Los Angeles, CA

Contact