Win32/Quervar [Threat Name] go to Threat

Win32/Quervar.C [Threat Variant Name]

Available cleaner [Download Quervar.C Cleaner ]

Category virus
Detection created Aug 08, 2012
Signature database version 7368
Aliases Virus:.Win32/Quervar.B (Microsoft)
Short description

Win32/Quervar.C is a file infector.

Installation

When executed, the virus copies itself into the following location:

  • %appdata%\­%variable1%\­%variable2%.exe

The virus may create the following files:

  • %appdata%\­%variable1%\­%variable3%.tmp
  • %temp%\­%variable4%.tmp

A string with variable content is used instead of %variable1-4% .


The virus creates the following files:

  • %appdata%\­%variable1%\­%variable2%.exe.lnk

The file is a shortcut to a malicious file.


In order to be executed on every system start, the virus sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "load" = "%appdata%\­%variable1%\­%variable2%.exe.lnk"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Fbsgjner\­Zvpebfbsg\­Jvaqbjf\­PheeragIrefvba\­Vagrearg Frggvatf]
    • "TybonyHfreBssyvar" = 0
File infection

The virus searches local drives for files with the following file extensions:

  • .exe (32 bit)
  • .doc
  • .docx
  • .xlsx
  • .xls

The virus infects files by appending the original file into the resources section of the malware binary.


The virus avoids infecting files stored on drives which contain the following folders:

  • %drive%\­System Volume Information\­

The name of the infected file is changed to one of the following string:

  • %originalfilename%
  • %originalfilename%%specialchar%cod.scr
  • %originalfilename%%specialchar%slx.scr

When the infected file is executed, the original file is dropped to temporary file.


The original file is then executed.


The name of the temporary file is one of the following:

  • %variable%
  • %infectedfile%--.doc
  • %infectedfile%--.xls

A string with variable content is used instead of %variable% .

Information stealing

The virus collects the following information:

  • a list of recently visited URLs
  • file(s) content
Other information

The virus quits immediately if any of the following applications is detected:

  • taskmgr.exe

The virus may create the text file:

  • %infectedfile%.ini

The virus acquires data and commands from a remote computer or the Internet.


The virus contains a list of URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

Please enable Javascript to ensure correct displaying of this content and refresh this page.