Aliases: W32/Espoleo.a
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 29 Jun 2007
Damage: Low

Characteristics: Like the Elerad virus, W32.Espoleo is also a virus that attacks a lot of portable executable files on both local, shared, and remote drives and downloads other threats. It also searches and infects WINLOGON.EXE and MSIEXEC.EXE files. As such, the virus may corrupt an infected file and this also contains a patch that will also spread the virus. The infection process of W32.Espoleo consists of searching kernel32.dll image base and function.

More details about W32.Espoleo

Normally, if a compromised computer is running on a different Windows Operating System, the infection will not run. However, this virus also affects other Windows Operating System platforms including Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP. Its infection routine involves also downloading other malware. It specifically searches and infects Winlogon.exe and Msiexec.exe files. This virus exploits unused windows executable space in order for it to inscribe its entry point. This virus is also classified as a dropper. Once executed, the virus drops a .dll code in the windows temporary folder. As such, it infects system directories, creating a file as well as backup named as “winlogon.exe” and “msiexec.exe.dll.”

A network connection named as “hxxp://x731.com” is also executed by this virus. It can also remotely download an infected file and drop it in the compromised computer. This copy is downloaded from http://www.hyap98.com/123/windo. This is also a copy of W32.Gexin.A. This virus creates a text file list of Windows executables in the discovered drives to a hard-coded path identified as win.log file. The W32.Espoleo application is also capable of infecting the computer not only through the use of Worms but also by different malicious software such as other viruses and spyware. By doing so, this worm could harm the security information setting of the user. Mostly, the security information that the W32.Espoleo application hacks is the financial data such as accounts from a bank. This will enable the author of the Worm to examine and used the gathered data.