[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4183
  • Last Modified:

Expiro Virus

Hi Experts,

In have a network of 20 pc clients. The half of them are using McAffe Virusscan Enterprise v8.5 (I know that it is old version) with the latest updates and the other half has the free Microsoft Security Essentials installed.

The above computers have access to a mapped network drive (f:) and inside him there are some network applications.

The main problem is that Microsoft Security Essentials, after running Full Scan or after accessing the map drive f:, is indicating that there are  viruses….
- Win32/Expiro.S
- Win32/Expiro.gen!F  
…on some .EXE files. If you select Remove, it removes the executable files causing some applications unable to start.

I have found on the net that Expiro is a malware so I used Malwarebytes [Admin Edit]
Then I suspected three users and I run Malwarebytes and SuperAntispyware to their computers in order to locate the Expiro Virus locally.
The above programs found only backdoors, Trojan cookies, Trojan Downloaders/Agents/FakeMS but not the Expiro Virus.

In two users a pop up window appeared with the name “Windows File Protection” asking to keep this unrecognized file versions or to insert the Windows XP CD.

Using MalwareBytes again I run a full scan to the server’s hard drive (f:) which is mapped to client’s computer.
Once again it didn’t found any Expiro Virus but one Trojan and one I can’t recall (one at the registry and one on the recycle folder of a user) and disinfected them.

After that I removed from one client the Microsoft Security Essentials and I installed the Trial Version of Kaspersky Pure. I performed a full scan to that computer localy and it didn’t found any threats.
Running a full scan from the same computer on the mapped drive using Kaspersky Pure. Kaspersky has found 123 virus.win32.expiro.w threats.

Q1:I don’t know where this malware/virus came from and I don’t know where it lives (on a client, on the server, or both) in order to eliminate it once and for all.

Q2:I am also wondering what the message of Windows File Protection was.

What I know for sure is that all infected files are .EXE files.

Any ideas will be much appreciated!

Regards,
Mamelas
0
mamelas
Asked:
mamelas
  • 14
  • 5
  • 3
  • +1
3 Solutions
 
younghvCommented:
I think you need to use a more structured approach for both identifying and removing this malware.

Take a look at these two EE Articles, download the tools you need and run them in the order described:

http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
0
 
Melannk24Commented:
First, when you know you have an infected computer on a network, unplug the cable.  Some forms of malware can spread quickly just by using network ports.  In this case, you can't pinpoint the time or entry of infection.  So, treat the entire network as infected.  Which means, you need a uniform AV and host integrity software platform.  Having two different AV solutions can actually cause more problems than it solves because both vendors have a different way of deploying signature updates and how they identify/remove the threat.

In this environment, how many servers have touched these infected PCs?  In other words, is it just the mapped network drives i.e. File Server?  If so, you need to make sure you remove any threats from that server first because if you clean your clients, but your file server is still infected, the process will only start over again, re-infecting your clients.  Do you have a host firewall deployed on the PCs?  If not, I would highly recommend using the Windows Firewall, it's not fool proof, but if "Rogue Application X" installed by malware is trying to communicate across the network from that host, the firewall should alert and stop that application if it's configured correctly.  Please advised that certain malware infections will modify the registry though and prevent the firewall service from starting.  

As for your question about the "Windows File Protection", that means that Windows detected a change in system files which tells me that the Expiro malware is also a PE-file infector, purposing infecting other executable files on the PC overwriting them with it's own code.   I would say re-image the PCs with your standard baseline would be the best resolution here.  The malware has not only caused a root infection, but it's overwriting other vital system files, that's not easily resolved.

Another suggestion to try to pinpoint the machines with outstanding infections, do a search for "wsr14zt32.dll", it's a file associated with the variants of the Expiro Malware.  

Once you get one malware infection on a PC, some have a tendency of downloading other malicious applications as well.  You could be dealing with more than one main infection here.

0
 
mamelasAuthor Commented:
Dear Experts,
MalwareBytes was unable to find the Expiro virus so it was unuseful for this type of virus.

What I have done:
I have removed from every client the antivirus and I used the Kaspersky Internet Security to make the clean-up.

Part of the client computers were infected with Expiro.w virus.
Kaspersky has cleaned the half of them but there were computers with infected explorer.exe and I had to re-install them.

Computers with the Expiro.w virus had mapped drives and users were accessing network applications using the shortcut from their desktops.
I suppose that the Expiro.w virus infected the executable files of one computer and then when the user accessed his network application the mapped drive, where the application lives, was infected too. After that all of the computers who were accessing this mapped drive/network application were infected “locally” too.

As I said kaspersky Internet Security is now indicating that all computers are cleaned.

 I have also made a full scan, from a client’s computer using Kaspersky, to all network drives and now there are cleaned too.

The only thing that I didn’t do is a full scan to all physical drives of the 2 file servers.
Parts of them are now cleaned (mapped drives) but I don’t know if the virus is spread to the server’s executable files.


I don’t have any commercial backup solution and I don’t know if it is safe to make a full scan directly to the servers (…uninstalling first the old McAfee 8.5i and installing Kaspersky for Servers).

Q1: Do you suggest me to enable sharing and scan them from a client’s computer (as I did with the mapped drives?)
-      Am I safe without making a full scan to the servers?
-      Do you suggest something else?

Q2: In order to replace my obsolete Virus Protection, do you suggest Kaspersky or Shopos Endpoint Protection and which version?

Thanks in Advance!
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
younghvCommented:
The variant you have will be removed by proper use of a "rogue process" stopper and an updated version of Malwarebytes.

If you will try the actual steps I've outlined in my Articles - then post the resultant logs - I will continue to try to help you.

If you are willing to do that, let me know.
0
 
mamelasAuthor Commented:
Dear younghv,

Noted with thanks.
I will follow your instructions and I will revert.

0
 
mamelasAuthor Commented:
Dear younghv,

I am attaching you the export reports of the two file servers using RogueKiller and selecting from the menu “1.scan”.
In FileServer2.txt there is a code: NameServer (10.1.1.1,208.67.222.222)
What is this public address?

Should I continue with the MalwareBytes?

FileServer1.txt

FileServer2.txt
0
 
younghvCommented:
Yes, the second step is to scan with a fully updated Malwarebytes.
Did you download MBAM to a clean computer and 'renamne' the executable file before saving it to that computer?
0
 
mamelasAuthor Commented:

Yes I have downloaded the Free version, I have rename the executable file to temp.exe, I have updated the malware database and now MalwareBytes runs a Full Scan.

It has already found 2 Infected objects...I will revert when it is finished.
0
 
mamelasAuthor Commented:
Dear younghv,

I am attaching you the complete scan report of MalwareBytes for the 2 File Servers.

First Server took more than 5 hours to complete and I don’t have the time to
repeat the Full Scan for both servers after rebooting is finished.

Finally I will use CCleaner to clean temp's folder.

As I have posted while opening the Question, I used MalwareBytes to
scan the mapped drives of Servers (it found only 2 viruses but not Expiro)
Scanning the Mapped drives later on with Kaspersky found Expiro virus.

Now the attached logs are indicating that there is no any Expiro Virus.

My Question is...am I free of Malwares and Expiro now ?
(because for my case Expiro virus ,living on the mapped drives,
were identified and cleaned by Kaspersky)

 MB-Server1.txt

MB-Server2.txt
0
 
mamelasAuthor Commented:
Dear younghv,

After rebooting the Server, I was unable to run MS Exchange-POP3 Service.
I rebooted the Server again and now under services there are only:
- Microsoft Exchange Event
- Microsoft Exchange Management
- Microsoft Exchange Routing Engine
PLS Help!

I am also attaching some of Warning and Error messages of Application of the Event Viewer! EventViewer.txt
0
 
Melannk24Commented:
This is a PE-File infecting virus and it downloads other code, until you have a fully implemented an uniform Enterprise Virus solution in place with a supplemental utility like MalwareBytes for all computers and servers, I can't say with confidence you are virus-free.  With any software solution, there is nothing 100% fool proof either.  It seems you may be free of the Expiro virus based on what you have said so far....  There appears to have been a RAT tool installed on your servers based on the MalwareBytes log.  

Concerning your other question about what Enterprise Virus Solution to use, I've had great results with Sophos.  There is also a report that was done comparing AV solutions, you can take a look at that for useful information.  Good luck!

http://www.virusbtn.com/news/2011/04_15a.xml

http://www.av-test.org/certifications
0
 
mamelasAuthor Commented:
Dear Melannk24,

My Mail Server is now disconnected, should i restore this "infected dlls"??

What do you suggest in order to recover temporary the connection of my Mail Server?
0
 
mamelasAuthor Commented:
Please note that I have opened the below question in order to solve Exchange's Server connection error:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26973878.html
0
 
Melannk24Commented:
Those files are NOT associated with Exchange, restoring the infected .dlls won't help the issue.  I'm guessing because the original malware is one that is noted to overwrite .exes with its own code, that the Exchange issues you are experiencing are related to corrupt files.

You've had a massive infection across your entire network, server side included.  In this situation, I would recommend re-image of all infected machines and restore servers to baseline and then restore server/user data from a safe date prior to infection via tape or other media.  
0
 
mamelasAuthor Commented:
Dear Melannk24,

Thanks for your response.

As i said to younghv i don't have any commercial backup solution.

So it would be wiser to keep the Server as it was and plan a future
re-installation of the Servers.

Yesterday maybe I was infected but the systems were working.
Now my Mail Server is out of order and I have less than 2 days to make it work.


0
 
Melannk24Commented:
The .dlls could be a dependency of the RAT Tool causing system errors, but they are not part of an original Exchange installation.  

I disagree on keeping the server as is, but this is your network.  I've dealt with many, many virus/malware infections and once they hit a server and it can spread, I've found it's safer to re-install.  Malware tends to download other malicious programs like Remote Access Control apps, keyloggers, dialers, etc.  Some of these have a low detection rate too and not all AV companies have seen all variants to have signatures updated.  Thus, the recommendation to re-install and start clean.  I wish you luck and if there is anything else I can recommend or assist with, please don't bother to ask!

Good luck.
0
 
mamelasAuthor Commented:
Dear Melannk24, thanks for your support.

The infected Mail/File Server must be up and running. There are users that are connected to him every day. I don't have a spare computer and in case of re-installation the downtime would be a big trouble for all.

I am also planning a new Server and Backup solution next Month.

That's why if you see my earlier post I was reluctant to scan the Server.

What I need for now is to keep my data cleaned in a safe place and restore my Mail Server to its previous state as soon as possible...

Any idea of achieving that will be welcome!!
0
 
Melannk24Commented:
I assume that the mail server is separate from the file server..... based on your malwarebytes log?  Both physical servers, any virtual?
0
 
mamelasAuthor Commented:

I have 2 physical Servers.

The newer is both Mail Server and File Server.

The older one is windows update server, fax server and sql server.

Now i have uninstalled the old antivirus from these servers and i perform
a full scan using Kaspersky Antivirus for Servers.

After the last boot of the mail/file server the Event Viewer is full of logs than ever before.
I am also trying to re-install exchange over current installation...
0
 
mamelasAuthor Commented:
What it worked for me:

Most of the clients were cleaned using Kaspersky Internet Security.
Part of them i had to make a clean re-installation.

Servers were also cleaned using Kaspersky Antivirus for Servers.

Regarding the Exchange Services, a re-installation over the current
installation, solved the problem.
0
 
mamelasAuthor Commented:
PARTIALLY ANSWERED
0
 
wk3Commented:
AVG also has an expiro removal tool.. I don't know how well it works.

http://free.avg.com/us-en/win32-expiro
0
 
mamelasAuthor Commented:
@wk3

Thanks for the comment.
I will keep in mind.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 14
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now