Malware.Xpiro (Expiro)

Expiro, or Xpiro, is a broad family of viruses that infect files to compromise the targeted PC, with goals usually related to stealing confidential Web-browsing information and login information for FTP clients. While malware experts have examined individual members of this family prior to now, new changes to this family's development that increase the range of threatened computers warrant an update to previous analyzes. With emerging variants of Expiro increasing compatibility for 64-bit Windows systems, it accurately can be said that more potential victims than ever are endangered by Expiro, and malware researchers warn that deleting Expiro (or even finding Expiro) is difficult without possession of the latest in robust anti-virus technology.

Expiro: When File Infectors Strike Back

Viruses usually are remembered for their early years in the threat industry, during which time they often were designed to destroy files and cause general mischief. New models like Expiro viruses are intended for essentially the same purposes as banking Trojans and other spyware: stealing private information that may be used for crime-financing activities. While most viruses are limited to affecting 32-bit systems, including old versions of Expiro like PE_EXPIRO.JX-O, new versions have been updated to attack 64-bit systems, which is a remarkable innovation for virus-based threats.

The most recent Expiro attacks distributing these upgraded viruses seem to be using exploit kits hosted on compromised websites, which allows criminals to install Expiro (assuming that the exploit kits can find an appropriate vulnerability). Malware experts recommend disabling scripts and patching your software for general defenses against these drive-by-downloads, although these aren't substitutes for real anti-malware protection. Currently, the newest Expiro campaign appears to be targeted at specific United States-based institutions, although Expiro is just as harmful to any casual PC user.

The File-Fattening That Leads to Theft

As viruses, Expiro-based PC threats infiltrate other files on your computer. There are few symptoms of this infection except for a modest increase in file size that's under one megabyte. A successfully compromised PC may be in danger of losing the following types of information from Expiro attacks:

• FTP client information, particularly for FileZilla.
• Passwords and other confidential information for Chrome, Internet Explorer and Firefox, all of which may be targeted by slightly different information-stealing attacks. They also may be hijacked and redirected to hazardous Web domains.
• Any installed certificates.
• Private credentials for Windows Protected Storage.

Expiro also may install threats, making Expiro perform triple-duty as a virus, spyware program and Trojan downloader.

Malware researchers consider all versions of Expiro to be high-level PC threats, and warn that its recent campaign mandates an especially cautious reaction to suspicious e-mail attachments, and other methods that often compromise specific businesses and government agencies. Removing Expiro shouldn't harm the files that are hosting its code, as long as appropriate anti-malware programs are used for disinfection.

Technical Details