Home / malware

PDF

Trojan:Win32/Quervar.A

First posted on 24 May 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Quervar.A.

Explanation :

Virus:Win32/Quervar.A is a virus that infects specific Microsoft Office document files and executable files.



Installation

When an infected file is run, it drops and runs the original host file in the current folder as a hidden file with a randomly generated name to make it appear as if it is not infected.

Virus:Win32/Quervar.A then drops copies of itself as the following:

• %AppData%\Microsoft\<random characters>.exe
• %windir%\xpsp2res.dll

Spreads via...

File infection

Virus:Win32/Quervar.A infects the following file types:

• .doc
• .docx
• .exe

It searches for files to infect in all logical drives except those labeled as:

• CDROM drives
• Unknown drives

Virus:Win32/Quervar.A infects files by creating copies of itself with the original host file encrypted at the end. If the host file is a .doc or .docx file, the infected file is named using the following format:

<original host file name>xcod.scr

If the host file is an .exe file, the infected file name is the same as the host file.

The host files are then deleted, so only the infected files remain.



Payload

Connects to certain servers

Virus:Win32/Quervar.A connects to any of the following servers:

• avtoclub.eu
• vnk.sk
• 1nlreality.sk
• forum.perfect-privacy.com

Terminates system processes

Virus:Win32/Quervar.A may prevent Task Manager from running.



Analysis by Francis Allan Tan Seng

Last update 24 May 2012

 

TOP