PE_QUERVAR.G

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It infects certain file types by inserting code in the said files.

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This file infector drops the following copies of itself into the affected system:

• %User Temp%\{random folder name}\{random file name}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It creates the following folders:

• %User Temp%\{random folder name}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It terminates itself if it finds the following processes in the affected system's memory:

• taskmgr.exe

Autostart Technique

This file infector drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\{random file name}.lnk

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

File Infection

This file infector infects files with the following file extensions by inserting code in the said files:

• *.exe
• *.doc
• *.xls
• *.docx
• *.xlsx

This is the Trend Micro detection for files infected by:

• PE_QUERVAR.G-O

Download Routine

This file infector connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}p.com/admin/view/theme/default/tpl/layout.php
• http://www.{BLOCKED}group.com/administrator/includes/way.php
• http://{BLOCKED}city.com/wp-includes/js/tinymce/wp-tinymm.php
• https://forums.{BLOCKED}tion.com/image.php?u=3089

NOTES:

It is capable of infecting all logical drives except CD-ROMs present on the system as long as the following folder is not present on the drive:

• System Volume Information

Upon execution of infected document/spreadsheet file, it drops the original file on the affected system

• {filename}--.{original file extension}

Wherein Original File Extension could be:

• .doc
• .docx
• .xls
• .xlsx

It is capable of renaming infected files (*.DOC, *.XLS, *.DOCX, *.XLSX) adding the Unicode for "Right to Left Override" (RLO) character to disguise that the renamed file is still a document/spreadsheet file but are actually executables:

• .doc - {RLO}cod.scr - appears as rsc.doc
• .xls - {RLO}slx.scr - appears as rsc.xls
• .docx - {RLO}xcod.scr - appears as rsc.docx
• .xlsx - {RLO}xslx.scr - appears as rsc.xlsx