A long time has passed since its authors improved it, but experts found that the latest versions of the Xpiro family of file infectors came with a series of interesting capabilities. According to Symantec researchers, the new Xpiro file infectors are persistent in nature. Secondly, they’re designed to infect both 32-bit and 64-bit executable files, particularly Intel 386 (32-bit), Intel 64 (64-bit) and AMD64 (64-bit) architectures.
Once it lands on a computer, Xpiro starts infecting win32 service files. Then, it looks for .lnk files on the victim’s desktop and in the start menu, and infects them.
The cybercriminals target link files because they’re aware these have the highest probability of being executed after a system reboot.
In the final phase, executable files from all fixed, removable and mapped drives are infected.