Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Virus:W32/Quervar.A
Date discovered:08/08/2012
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
VDF version:7.11.39.130 - Friday, August 10, 2012
IVDF version:7.11.39.130 - Friday, August 10, 2012

 General Method of propagation:
    Infects files


Aliases:
   •  Kaspersky: Trojan-Dropper.Win32.Dorifel.has
   •  Eset: Win32/Quervar.C

It was previously detected as:
     TR/Rogue.kdv.691754.7
     TR/Rogue.kdv.691754
     TR/Spy.150016.65


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Drops files
Infects files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\%random character string%\%random character string%.exe



It renames the following files:

      %infected files%.doc into %infected files%.cod.scr
      %infected files%.docx into %infected files%.cod.scr
      %infected files%.xls into %infected files%.slx.scr
      %infected files%.xlsx into %infected files%.slx.scr



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %APPDATA%\%random character string%\RCX%number%.tmp

%APPDATA%\%random character string%\%random character string%.exe.lnk
%APPDATA%\%random character string%\%random character string%.exe.ini This is a non malicious text file that contains information about the program itself.
%malware execution directory%\%executed file%-- This is the original version of the file before infection.

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • Load = "%APPDATA%\%random character string%\%random character string%.exe.lnk"

 File infection Infector type:

Prepender - The virus code is added at the begining of the infected file.


Method:

This direct-action infector actively searches for files.

This memory-resistent infector remains active in memory.


Infection length:

Approximately 150.000 Bytes


Ignores files that:

Contain any of the following strings in their path:
   • System Volume Information


The following files are infected:

By file type:
   • .exe
   • .doc
   • .xls
   • .docx
   • .xlsx

 Miscellaneous Event handler:
It creates the following Event handler:
   • SayHellotomyLittleFriend


Anti debugging
It checks if the following program is running:
   • taskmgr.exe


 File details Programming language:
The malware program was written in Delphi.

Die Beschreibung wurde erstellt von Andrei Gherman am Freitag, 10. August 2012
Die Beschreibung wurde geändert von Andrei Gherman am Freitag, 10. August 2012

zurück . . . .