Seeing the Win32/Expiro.NDO detection name usually means that your system is in big danger. This virus can correctly be identified as ransomware – virus which encrypts your files and asks you to pay for their decryption. Stopping it requires some unusual steps that must be done as soon as possible.
Win32/Expiro.NDO detection is a virus detection you can spectate in your system. It usually appears after the provoking activities on your computer – opening the dubious e-mail, clicking the banner in the Internet or installing the program from unreliable resources. From the second it appears, you have a short time to take action before it begins its harmful activity. And be sure – it is much better not to wait for these harmful things.
What is Win32/Expiro.NDO virus?
Win32/Expiro.NDO Summary
In summary, Win32/Expiro.NDO ransomware actions in the infected computer are next:
- Behavioural detection: Executable code extraction – unpacking;
- SetUnhandledExceptionFilter detected (possible anti-debug);
- At least one process apparently crashed during execution;
- Yara rule detections observed from a process memory dump/dropped files/CAPE;
- Creates RWX memory;
- A process attempted to delay the analysis task.;
- Dynamic (imported) function loading detected;
- Performs HTTP requests potentially not found in PCAP.;
- CAPE extracted potentially suspicious content;
- Unconventionial language used in binary resources: Hungarian;
- The binary contains an unknown PE section name indicative of packing;
- Authenticode signature is invalid;
- Creates a hidden or system file;
- Likely virus infection of existing system binary;
- Attempts to bypass application whitelisting by executing .NET utility in a suspended state, potentially for injection;
- CAPE detected the OnlyLogger malware family;
- Attempts to modify proxy settings;
- Encrypting the documents kept on the victim’s drive — so the victim cannot open these documents;
- Blocking the launching of .exe files of anti-virus programs
- Blocking the launching of installation files of anti-virus apps
Ransomware has actually been a headache for the last 4 years. It is hard to imagine a more damaging malware for both individual users and organizations. The algorithms used in Win32/Expiro.NDO (typically, RHA-1028 or AES-256) are not hackable – with minor exclusions. To hack it with a brute force, you need to have a lot more time than our galaxy actually exists, and possibly will exist. But that malware does not do all these horrible things instantly – it can require up to a few hours to cipher all of your documents. Hence, seeing the Win32/Expiro.NDO detection is a clear signal that you should start the clearing process.
Where did I get the Win32/Expiro.NDO?
General ways of Win32/Expiro.NDO distribution are standard for all other ransomware variants. Those are one-day landing websites where victims are offered to download the free software, so-called bait emails and hacktools. Bait e-mails are a relatively modern method in malware distribution – you receive the e-mail that simulates some regular notifications about shippings or bank service conditions modifications. Inside of the email, there is an infected MS Office file, or a link which opens the exploit landing page.
Malicious email message. This one tricks you to open the phishing website.
Preventing it looks quite uncomplicated, but still needs a lot of focus. Malware can hide in different places, and it is better to prevent it even before it gets into your system than to depend on an anti-malware program. Simple cybersecurity knowledge is just an important item in the modern world, even if your relationship with a PC remains on YouTube videos. That may save you a lot of time and money which you would certainly spend while searching for a solution.
Win32/Expiro.NDO malware technical details
File Info:
name: 114503254BA9C9198D08.mlwpath: /opt/CAPEv2/storage/binaries/1e63c700ced6302b0a5ce4ce22efabf64bb9c7a39378c60ea51fdcaef1580124crc32: EF464ED5md5: 114503254ba9c9198d08f951652be5e5sha1: 284dcdd7a3c38875509e132dde26aa96f0311f8esha256: 1e63c700ced6302b0a5ce4ce22efabf64bb9c7a39378c60ea51fdcaef1580124sha512: 17ced0ee18cbbe58994ff91b0ea51faa8dd0c0f801ba852dace8f2a9553526239ad758429eee73d6cf41c57fe591983098554261ec12d9f1d41e29433e58c030ssdeep: 12288:wRe6abo2ZXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:4UZsqjnhMgeiCl7G0nehbGZpbDtype: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T17F7522696784417BD4732AB941B9E71D5C2B3ED2AD348087BA1639BEFEB31C04E35213sha3_384: 59994e3b7b87022191e86f5bbdda7c74be45016bc4785977913f841c9a555c514361ec4e39753fa532d48361a7db94adep_bytes: e881280000e979feffff8bff558bec8btimestamp: 2020-11-28 15:44:43Version Info:
InternationalName: bomgvioci.iwaCopyright: Copyrighz (C) 2021, fudkortProjectVersion: 3.14.72.77Translation: 0x0129 0x07bc
Win32/Expiro.NDO also known as:
| Bkav | W32.AIDetect.malware1 |
| Elastic | malicious (high confidence) |
| MicroWorld-eScan | Gen:Variant.Babar.30049 |
| FireEye | Generic.mg.114503254ba9c919 |
| ALYac | Gen:Variant.Babar.30049 |
| Cylance | Unsafe |
| Sangfor | Trojan.Win32.Save.a |
| K7AntiVirus | Trojan ( 0058c5711 ) |
| Alibaba | Ransom:Win32/StopCrypt.820da434 |
| K7GW | Trojan ( 0058c5711 ) |
| Cybereason | malicious.7a3c38 |
| Cyren | W32/Expiro.AU.gen!Eldorado |
| Symantec | ML.Attribute.HighConfidence |
| ESET-NOD32 | Win32/Expiro.NDO |
| APEX | Malicious |
| Paloalto | generic.ml |
| ClamAV | Win.Dropper.Lockbit-9917808-0 |
| Kaspersky | UDS:Trojan.Win32.Generic |
| BitDefender | Gen:Variant.Babar.30049 |
| NANO-Antivirus | Virus.Win32.Virut-Gen.bwpxnc |
| Avast | Win32:CrypterX-gen [Trj] |
| Tencent | Win32.Virus.Expiro.Duwb |
| Ad-Aware | Gen:Variant.Babar.30049 |
| Sophos | Mal/Generic-S + Mal/Agent-AWV |
| DrWeb | Win32.Expiro.153 |
| TrendMicro | Ransom_StopCrypt.R002C0DA322 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.tt |
| Emsisoft | Gen:Variant.Babar.30049 (B) |
| Ikarus | Trojan.Win32.Crypt |
| GData | Gen:Variant.Babar.30049 |
| Jiangmin | Trojan.Bsymem.bwd |
| MAX | malware (ai score=82) |
| Microsoft | Ransom:Win32/StopCrypt.PU!MTB |
| Cynet | Malicious (score: 100) |
| AhnLab-V3 | Trojan/Win.FSWW.R460591 |
| Acronis | suspicious |
| McAfee | Lockbit-FSWW!114503254BA9 |
| VBA32 | Trojan.Sabsik.TE |
| Malwarebytes | Trojan.MalPack.GS |
| TrendMicro-HouseCall | Ransom_StopCrypt.R002C0DA322 |
| Rising | Trojan.Raccrypt!8.12B71 (CLOUD) |
| SentinelOne | Static AI – Malicious PE |
| eGambit | Unsafe.AI_Score_99% |
| Fortinet | W32/Expiro.NDO!tr |
| BitDefenderTheta | Gen:NN.ZexaF.34114.LvW@aiXbfIbK |
| AVG | Win32:CrypterX-gen [Trj] |
| Panda | Generic Suspicious |
| CrowdStrike | win/malicious_confidence_90% (W) |
| MaxSecure | Trojan.Malware.300983.susgen |
Leave a Comment