Home / malware Virus:Win32/Quervar.A
First posted on 24 May 2012.
Source: MicrosoftAliases :
There are no other names known for Virus:Win32/Quervar.A.
Explanation :
Virus:Win32/Quervar.A is a virus that infects specific Microsoft Office document files and executable files.
Installation
When an infected file is run, it drops and runs the original host file in the current folder as a hidden file with a randomly generated name to make it appear as if it is not infected.
Virus:Win32/Quervar.A then drops copies of itself as the following:
Spreads via...
- %AppData%\Microsoft\<random characters>.exe
- %windir%\xpsp2res.dll
File infection
Virus:Win32/Quervar.A infects the following file types:
- .doc
- .docx
- .exe
It searches for files to infect in all logical drives except those labeled as:
- CDROM drives
- Unknown drives
Virus:Win32/Quervar.A infects files by creating copies of itself with the original host file encrypted at the end. If the host file is a .doc or .docx file, the infected file is named using the following format:
<original host file name>xcod.scr
If the host file is an .exe file, the infected file name is the same as the host file.
The host files are then deleted, so only the infected files remain.
Payload
Connects to certain servers
Virus:Win32/Quervar.A connects to any of the following servers:
- avtoclub.eu
- vnk.sk
- 1nlreality.sk
- forum.perfect-privacy.com
Terminates system processes
Virus:Win32/Quervar.A may prevent Task Manager from running.
Analysis by Francis Allan Tan Seng
Last update 24 May 2012