Win32/Quervar [Threat Name] go to Threat
Win32/Quervar.C [Threat Variant Name]
Available cleaner [Download Quervar.C Cleaner ]
|Detection created||Aug 08, 2012|
|Signature database version||7368|
Win32/Quervar.C is a file infector.
When executed, the virus copies itself into the following location:
The virus may create the following files:
A string with variable content is used instead of %variable1-4% .
The virus creates the following files:
The file is a shortcut to a malicious file.
In order to be executed on every system start, the virus sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "load" = "%appdata%\%variable1%\%variable2%.exe.lnk"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Vagrearg Frggvatf]
- "TybonyHfreBssyvar" = 0
The virus searches local drives for files with the following file extensions:
- .exe (32 bit)
The virus infects files by appending the original file into the resources section of the malware binary.
The virus avoids infecting files stored on drives which contain the following folders:
- %drive%\System Volume Information\
The name of the infected file is changed to one of the following string:
When the infected file is executed, the original file is dropped to temporary file.
The original file is then executed.
The name of the temporary file is one of the following:
A string with variable content is used instead of %variable% .
The virus collects the following information:
- a list of recently visited URLs
- file(s) content
The virus quits immediately if any of the following applications is detected:
The virus may create the text file:
The virus acquires data and commands from a remote computer or the Internet.
The virus contains a list of URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version