Home / malwarePDF  

Virus:Win32/Quervar.B


First posted on 09 August 2012.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Quervar.B.

Explanation :



Virus:Win32/Quervar.B is a virus that infects specific Microsoft Office document files and executable files. In the wild, we have observed the virus infecting files with the following file extensions:

  • .DOC
  • .EXE
  • .XLS


Installation

Virus:Win32/Quervar.B drops the virus body as the following:

%AppData%\<random>\<random>.exe (for example, %AppData%\KA7YQ0\A1S09G.exe)

The virus also drops a shortcut file as <dropped virus body path>.lnk, for example, %AppData%>\KA7YQ0\A1S09G.exe.lnk which points to the virus body with the following parameter:

"-launcher"

Virus:Win32/Quervar.B makes the following changes to the registry to ensure its execution each time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: <dropped LNK file>

It will then launch the dropped LNK file immediately.

Virus:Win32/Quervar.B creates an event "SayHellotomyLittleFriend" and an atom "BreakingBad" to make sure that only one payload is running at any given time.

Spreads via...

File infection

The virus tries to infect files with the following extensions:

  • .DOC
  • .EXE
  • .XLS


It does this by encrypting the original file, and prepending itself before it on all drives (except unknown devices), CDROM, and drives that have a "System Volume Information" folder in the root.

An infected DOC file will be named as <original file name><unicode right-to-left mark>cod.scr, and infected XLS files will be named as <original file name><unicode right-to-left mark>slx.scr.

When the infected file runs, the original file is dropped and opened under the same directory with a random name, for example Z3NTZ8. This randomly-named file will have "hidden" and "system" attributes.



Payload

Contacts remote hosts

Virus:Win32/Quervar.B contacts remote hosts to report infection and retrieve commands; in the wild, we have observed it contacting the following server for this purpose:

hxxp://reslove-dns.com/bl/in.php

Note: At the time of analysis, this server returned empty commands.

The virus may contact a remote host for any number of purposes, commonly to:

  • Update itself
  • Download additional files


Terminates system processes

Virus:Win32/Quervar.B attempts to close Windows Task Manager periodically.



Analysis by Shawn Wang

Last update 09 August 2012

 

TOP

Malware :

Family: