{
	"id": "3eebbd72-35b2-4ebb-ad88-aa056d492d12",
	"created_at": "2026-04-06T00:14:09.218564Z",
	"updated_at": "2026-04-10T03:21:36.809654Z",
	"deleted_at": null,
	"sha1_hash": "952bfc474f62374bf7462b3f130fd6519664eb4d",
	"title": "Versatile and infectious: Win64/Expiro is a cross-platform file infector",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 332635,
	"plain_text": "Versatile and infectious: Win64/Expiro is a cross-platform file\r\ninfector\r\nBy ESET Research\r\nArchived: 2026-04-05 15:39:48 UTC\r\nRecently, our anti-virus laboratory discovered an interesting new modification of a file virus known as Expiro\r\nwhich targets 64-bit files for infection. File-infecting viruses are well known and have been studied\r\ncomprehensively over the years, but malicious code of this type almost invariably aimed to modify 32-bit files.\r\nOne such family of file viruses, called Expiro (Xpiro), was discovered a long time ago and it's not surprising to\r\nsee it today. However, the body of this versatile new modification is surprising because it's fully cross-platform,\r\nable to infect 32-bit and 64-bit files (also, 64-bit files can be infected by an infected 32-bit file). According to our\r\nnaming system the virus is called Win64/Expiro.A (aka W64.Xpiro or W64/Expiro-A). In the case of infected 32-\r\nbit files, this modification is detected as Win32/Expiro.NBF.\r\nThe virus aims to maximize profit and infects executable files on local, removable and network drives. As for the\r\npayload, this malware installs extensions for the Google Chrome and Mozilla Firefox browsers. The malware also\r\nsteals stored certificates and passwords from Internet Explorer, Microsoft Outlook, and from the FTP client\r\nFileZilla. Browser extensions are used to redirect the user to a malicious URL, as well as to hijack confidential\r\ninformation, such as account credentials or information about online banking. The virus disables some services on\r\nthe compromised computer, including Windows Defender and Security Center (Windows Security Center), and\r\ncan also terminate processes. Our colleagues from Symantec have also written about the most recent Expiro\r\nmodification. TrendMicro also reported attacks using this virus.\r\nThe Win64/Expiro infector\r\nThe body of the virus in a 64-bit infected file is added to the end of the new section of the executable file, called\r\n.vmp0 with a size of 512,000 bytes (on disk). To transfer control to the main body (.vmp0), the virus inserts 1,269\r\nbytes of malicious startup code in place of the entry point. Before modifying the entry point code, the virus copies\r\nthe original bytes to the beginning of the .vmp0 section. This startup code performs unpacking of the virus code\r\ninto the .vmp0 section. In the screenshot below we show the template for the startup code to be written during\r\ninfection to the entry point of the 64-bit file.\r\nhttps://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nPage 1 of 9\n\nDuring the infection process, the virus will prepare this startup code for insertion into the specified file and some\r\nof these instructions will be overwritten, thus ensuring the uniqueness of the .vmp0 section contents\r\n(polymorphism). In this case, the following types of instruction are subject to change: add, mov, or lea (Load\r\nEffective Address), instructions that involve direct offsets (immediate). At the end of the code, the virus adds a\r\njump instruction which leads to the code unpacked into the .vmp0 section. The screenshot below shows the startup\r\ncode pattern (on the left) and startup code which was written into the infected file (on the right).\r\nSimilar startup code for 32-bit files is also located in the section .vmp0 as presented below.\r\nhttps://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nPage 2 of 9\n\nThis code in x32 disassembler looks like usual code (infected file).\r\nThe size of the startup code in the case of a 64-bit file is equal to 1,269 bytes, and for an x32 file is 711 bytes.\r\nThe virus infects executable files, passing through the directories recursively, infecting executable file by creating\r\na special .vir file in which the malicious code creates new file contents, and then writes it to the specified file in\r\nblocks of 64K. If the virus can't open the file with read/write access, it tries to change the security descriptor of the\r\nfile and information about its owner.\r\nThe virus also infects signed executable files. After infection files are no longer signed, as the virus writes its body\r\nafter the last section, where the overlay with a digital signature is located. In addition, the virus adjusts the value\r\nof the field Security Directory in the Data Directory by setting the fields RVA and Size to 0. Accordingly, such a\r\nfile can also be executed subsequently without reference to any information about digital signatures. The figure\r\nbelow shows the differences between the original/unmodified and the infected 64-bit file, where the original is\r\nequipped with a digital signature. On the left, in the modified version, we can see that the place where the overlay\r\nshown on the right was formerly located is now the beginning of section .vmp0.\r\nhttps://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nPage 3 of 9\n\nFrom the point of view of process termination, Expiro is not innovative and uses an approach based on retrieving\r\na list of processes, using API CreateToolhelp32Snapshot, and subsequent termination via OpenProcess /\r\nTerminateProcess. Expiro targets the following processes for termination: «MSASCui.exe», «msseces.exe» and\r\n«Tcpview.exe».\r\nWhen first installed on a system, Expiro creates two mutexes named «gazavat».\r\nIn addition, the presence of the infector process can be identified in the system by the large numbers of I/O\r\noperations and high volumes of read/written bytes. Since the virus needs to see all files on the system, the\r\ninfection process can take a long time, which is also a symptom of the presence of suspicious code in the system.\r\nThe screenshot below shows the statistics relating to the infector process at work.\r\nhttps://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nPage 4 of 9\n\nThe virus code uses obfuscation during the transfer of offsets and other\r\nvariables into the API. For example, the following code uses arithmetic obfuscation while passing an argument\r\nSERVICE_CONTROL_STOP (0x1) to advapi32!ControlService, using it to disable the service.\r\nWith this code Expiro tries to disable the following services: wscsvc (Windows Security Center), windefend\r\n(Windows Defender Service), MsMpSvc (Microsoft Antimalware Service, part of Microsoft Security Essentials),\r\nand NisSrv (Network Inspection Service used by MSE).\r\nWin64/Expiro payload\r\nAs the payload, the virus installs a browser extension for Google Chrome and Mozilla Firefox. The manifest file\r\nfor the installed Chrome extension looks like this:\r\nhttps://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nPage 5 of 9\n\nIn the Chrome extensions directory, the directory with malicious content will be called\r\ndlddmedljhmbgdhapibnagaanenmajcm. The malicious extension uses two JavaScript scripts for it work:\r\nbackground.js and content.js. After deobfuscation, the code pattern of background.js looks like this.\r\nThe variable HID is used for storing the OS version string and Product ID. The variable SLST is used to store a\r\nlist of domains that are used to redirect the user to malicious resources.\r\nhttps://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nPage 6 of 9\n\nThe manifest file for the Firefox extension looks like this:\r\nIn the screenshot below you can see part of the code of content.js which performs parsing of form-elements on the\r\nweb-page. Such an operation will help malicious code to retrieve data that has been entered by the user into forms,\r\nand may include confidential information.\r\nhttps://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nPage 7 of 9\n\nAs a bot, the malware can perform the following actions:\r\nchange control server URLs;\r\nexecute a shell command - passes it as param to cmd.exe and returns result to server;\r\ndownload and execute plugins from internet;\r\ndownload a file from internet and save it as %commonapddata%\\%variable%.exe;\r\nimplement a TCP flood DoS attack;\r\nenumerate files matching mask \\b*.dll in the %commonappdata% folder, loading each one as a library,\r\ncalling export «I» from it, and loading exports «B» and «C» from it;\r\ncall plugin functions «B» and «C» from the loaded plugin;\r\nstart proxy server (SOCKS, HTTP);\r\nset port forwarding for TCP on the local router (SOAP).\r\nExpiro tries to steal FTP credentials from the FileZilla tool by loading info from\r\n%appdata%\\FileZilla\\sitemanager.xml. Internet Explorer is also affected by Expiro which uses a COM object to\r\ncontrol and steal data. If a credit card form is present on a loaded web page, malware will try to steal data from it.\r\nThe malicious code checks form input data for matches to «VISA» / «MasterCard» card number format and shows\r\na fake window with message:\r\n\"Unable to authorize.\\n %s processing center is unable to authorize your card %s.\\nMake corrections and try\r\nagain.\"\r\nThis malware can also steal stored certificates with associated private keys (certificate store «MY»).\r\nhttps://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nPage 8 of 9\n\nImplications of Win64/Expiro\r\nInfecting executable files is a very efficient vector for the propagation of malicious code.\r\nThe Expiro modification described here represents a valid threat both to home users and to company employees.\r\nBecause the virus infects files on local disks, removable devices and network drives, it may grow to similar\r\nproportions as the Conficker worm, which is still reported on daily basis. In the case of Expiro the situation is\r\ngetting worse, because if a system is left with at least one infected file on it which is executed, the process of total\r\nreinfection of the entire disk will begin again.\r\nIn terms of delivery of the payload, the file infector is also an attractive option for cyber crime, because viral\r\nmalicious code can spread very fast. And of course, a cross-platform infection mechanism makes the range of\r\npotential victims almost universal.\r\nBig hat tip to Miroslav Babis for the additional analysis of this threat.\r\nArtem Baranov, Malware Researcher ESET Russia\r\nSHA1 hashes for analyzed samples:\r\nWin64/Expiro.A - 469fcc15b70cae06f245cec8fcbf50f7c55dcc4b\r\nWin32/Expiro.NBF - 9818d4079b9cb6b8a3208edae0ac7ad61a85d178\r\nSource: https://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nhttps://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/"
	],
	"report_names": [
		"versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector"
	],
	"threat_actors": [],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/952bfc474f62374bf7462b3f130fd6519664eb4d.pdf",
		"text": "https://archive.orkl.eu/952bfc474f62374bf7462b3f130fd6519664eb4d.txt",
		"img": "https://archive.orkl.eu/952bfc474f62374bf7462b3f130fd6519664eb4d.jpg"
	}
}