Malware

How to remove “Win32/Expiro.NDU”?

Malware Removal

The Win32/Expiro.NDU is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32/Expiro.NDU virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • CAPE extracted potentially suspicious content
  • Authenticode signature is invalid
  • Likely virus infection of existing system binary

How to determine Win32/Expiro.NDU?



File Info:

name: 8DACEAB2ED261C1B964F.mlw
path: /opt/CAPEv2/storage/binaries/c4d0d32b084e3f3b11c11a2bd80fa88151daf67fea69f21bf6d3d16cf60544c2
crc32: 272CA061
md5: 8daceab2ed261c1b964f872a2ddfc78d
sha1: 00fb99685fcd6c53c154aa6e9076f3d51cd98621
sha256: c4d0d32b084e3f3b11c11a2bd80fa88151daf67fea69f21bf6d3d16cf60544c2
sha512: 885e332a80ec63aad2557365c14188109df7eb8b0b8e61fb0746554a972f7a8b7cba190d5790b4f205b283dd317d39a43d60efef16c2a3d92543d6df993c82f3
ssdeep: 12288:V2QJS39W4RIbSC22MveGtzRk2qrpl1ShnmINqRSUQ8fqR4zhzU:sZWRSC22MvHtsrrghnm2qRSUQ8fqSU
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T17A5523123AD6C4F6C36F2DB4E495A63196FC791028D1F20BFB973BCD2A784829134762
sha3_384: 55fdd7036d17d2501ca4507fe046d6c218c2be6a1f4f0d6dabe877b8a9b7d822ca1f73a70b536bf6dd340b9f05648cc3
ep_bytes: e8f70f0900e939fdffffff2528120010
timestamp: 2014-02-27 08:58:43


Version Info:

CompanyName: Microsoft Corporation
FileDescription: .NET Runtime Optimization Service
FileVersion: 2.0.50727.5483 (Win7SP1GDR.050727-5400)
InternalName: mscorsvw.exe
LegalCopyright: © Microsoft Corporation.  All rights reserved.
OriginalFilename: mscorsvw.exe
ProductName: Microsoft® .NET Framework
ProductVersion: 2.0.50727.5483
Comments: Flavor=Retail
Translation: 0x0409 0x04b0

Win32/Expiro.NDU also known as:

BkavW32.AIDetect.malware1
DrWebWin32.Expiro.153
MicroWorld-eScanGen:Variant.Zusy.311792
FireEyeGeneric.mg.8daceab2ed261c1b
ALYacGen:Variant.Zusy.311792
SangforTrojan.Win32.Save.a
CrowdStrikewin/malicious_confidence_60% (D)
CyrenW32/Expiro.AU.gen!Eldorado
SymantecML.Attribute.HighConfidence
ESET-NOD32a variant of Win32/Expiro.NDU
KasperskyVHO:Trojan.Win32.Waldek.gen
BitDefenderGen:Variant.Zusy.311792
NANO-AntivirusVirus.Win32.Virut-Gen.bwpxnc
AvastWin32:Xpirat-B [Inf]
Ad-AwareGen:Variant.Zusy.311792
EmsisoftGen:Variant.Zusy.311792 (B)
MicrosoftTrojan:Win32/Sabsik.FL.B!ml
GDataGen:Variant.Zusy.311792
CynetMalicious (score: 100)
AhnLab-V3Malware/Win.Generic.R461781
MAXmalware (ai score=88)
VBA32Trojan.Sabsik.TE
MalwarebytesMalware.Heuristic.1001
APEXMalicious
RisingTrojan.Generic@ML.80 (RDML:NFW8wqzTIrDCWfCZv7ECGw)
SentinelOneStatic AI – Malicious PE
FortinetW32/Expiro.NDO!tr
AVGWin32:Xpirat-B [Inf]
Cybereasonmalicious.2ed261

How to remove Win32/Expiro.NDU?

Win32/Expiro.NDU removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment