QUERVAR
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Infects files
QUERVAR is a malware family of file infectors that infects files such as MS Word, MS Excel, and executable files. It then changes the file extension of infected files to .SCR while retaining the same icon. It became rampant in North America, EMEA, and ANZ regions in 2012. Certain variants of QUERVAR are reportedly downloading ransomware and ZACCESS variants. We also spotted some variants of CITADEL malware that downloads QUERVAR.
TECHNICAL DETAILS
Connects to URLs/IPs
Other System Modifications
This file infector adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
MSConfig = ""%User Profile%\{Random File Name}.exe""
Download Routine
This file infector saves the files it downloads using the following names:
- %Current Folder%\{Malware Name}.jpg
- %User Profile%\{Random File Name}.exe
- %User Profile%\{Random File Name}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Other Details
This file infector connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.99.252/load/asidfk11.dat?wv=51&bt=32
- http://{BLOCKED}.{BLOCKED}.99.250.178/daol/asidfk11.dat?wv=51&bt=32
- http://{BLOCKED}lofhumor.com/wp-content/uploads/2013/01/0zXLM1-580x427.jpg
- http://{BLOCKED}report.com/images/2009/05/naughty-elephant.jpg
- http://{BLOCKED}.{BLOCKED}.99.252/load/load.php
- http://{BLOCKED}.{BLOCKED}.99.250.178/daol/oadl.php
- {BLOCKED}.{BLOCKED}.100.11
- {BLOCKED}.{BLOCKED}.118.35
- {BLOCKED}x.l.google.com
- {BLOCKED}s.mail.ru
- {BLOCKED}1.{BLOCKED}x.l.google.com
- {BLOCKED}2.{BLOCKED}x.l.google.com