There have been attacks involving the Trojan.Exprez.B Trojan in Spain, Denmark, and The Netherlands. Also known as Dorifel and XdocCrypt, Trojan.Exprez.B exhibits some puzzling behavior that can be difficult to reverse without a reliable, fully-updated anti-malware program. Mainly targeting high-profile targets, such as businesses and government institutions, Trojan.Exprez.B has also been associated with attacks involving the Zeus Trojan. As of August of 2012, there have been thousands of attacks all over Western Europe. One of the most worrying aspects of the Trojan.Exprez.B attacks is that evidences point them as part of a larger strategy involving banking Trojans and an identity theft ring. Phishing email messages are the main source of Trojan.Exprez.B infections.
The main characteristic of Trojan.Exprez.B variants is that they encrypt files on the infected computer, mainly targeting Microsoft Word and Microsoft Excel files. Seizure of various servers associated with Trojan.Exprez.B has led to worries that this threat is part of a large-scale identity theft operation. Apart from Trojan.Exprez.B itself, law enforcement officials also uncovered other malware threats and a large number of stolen identities and banking information. It seems that Trojan.Exprez.B’s components that allow Trojan.Exprez.B to spread from one computer to another (by encrypting files) also allow Trojan.Exprez.B to increase the size of dangerous botnets associated with the Zeus and Citadel Trojans. In fact, ESG security researchers have uncovered variants of Trojan.Exprez.B that contain a component that downloads and installs the Citadel on the victim’s computer.
How the Trojan.Exprez.B Attack Works
Trojan.Exprez.B has the capability to spread to all removable drives and shared folders and drivers. This gives this Trojan some worm-like capabilities that allow Trojan.Exprez.B to spread from one computer to another, a feature that most traditional Trojans lack. As of August of 2012, Trojan.Exprez.B has started to infect files with the XLS and XLSX extensions (that is, Microsoft Excel files). It has also started to include a malicious URL hidden in an image file disguised as a poster for the popular show Breaking Bad. Fortunately, using an updated anti-malware utility can remove most variants of Trojan.Exprez.B from an infected computer. ESG malware analysts advise using a security application that can decrypt infected files and restore them to normal. In some cases, it may be essential to change the file’s extension manually, which is easily done in Windows.
How Can You Detect Trojan.Exprez.B?
Trojan.Exprez.B Removal Details
Trojan.Exprez.B has typically the following processes in memory:
- %UserProfile%\Application Data\Microsoft\[EIGHT RANDOM UPPERCASE CHARACTERS].exe
Trojan.Exprez.B creates the following files in the system:
- [ORIGINAL FILE NAME].docx becomes [ORIGINAL FILE NAME]xcod.scr