Trojan.Exprez.B Hitting Spanish Regions

Over the past number of days, we have received feedback from customers that the number of Trojan.Exprez.B detections in Spanish regions has been steadily increasing. Trojan.Exprez.B is a file infector that replaces .exe, .doc, and .docx files on a compromised computer with a copy of itself. This copy of the Trojan also contains the original file, which has been encrypted and appended to the end of the threat.

Not all locations on a computer are susceptible to infection and the threat skips drives with the following properties:

  • The drive type is DRIVE_NO_ROOT_DIR
  • The drive type is DRIVE_CDROM
  • The drive type is DRIVE_UNKNOWN
  • The drive has a "System Volume Information" folder

When executed, the threat decrypts an .exe, .doc, or .docx file that is appended to the end of itself. It then saves itself to the current folder and launches the default application for that file extension (e.g. Microsoft Word). When the application is closed, the threat then deletes the saved file.

Next, the threat creates the following file, which is a copy of the executable part of the threat (without the appended document):
%UserProfile%\Application Data\Microsoft\[EIGHT RANDOM UPPERCASE CHARACTERS].exe (Trojan.Exprez!gen1)

When the computer restarts, the above file is moved to the following location:
%Windir%\xpsp2res.dll

The threat infects .exe, .doc, and .docx files by encrypting and appending them to the end of itself. Infected .exe files will retain their original file name so no additional action is necessary after the threat has been removed.

Document files, however, are renamed in the following manner:
[ORIGINAL FILE NAME].docx becomes [ORIGINAL FILE NAME]xcod.scr

Customers should note that after the threat has been removed, the modified .doc and .docx files will still have the modified file extension as part of the file name, i.e. "[ORIGINAL FILE NAME]xcod.scr". Customers should manually rename these files to [ORIGINAL FILE NAME].doc or [ORIGINAL FILE NAME].docx as appropriate.

The following is an example of the three stages that a document can go through:

  1. The document gets infected and its name and icon change:
  2. The document gets repaired but is left with the wrong file extension:
  3. The document gets renamed to the correct file extension:

Currently the infected files are detected as Trojan.Exprez.B and the dropped malicious binary files are detected as Trojan.Exprez!gen1.