Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Virus:W32/Quervar.A
Date discovered:08/08/2012
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
VDF version:7.11.39.130 - Friday, August 10, 2012
IVDF version:7.11.39.130 - Friday, August 10, 2012

 General Method of propagation:
   • Infects files


Aliases:
   •  Kaspersky: Trojan-Dropper.Win32.Dorifel.has
   •  Eset: Win32/Quervar.C

It was previously detected as:
   •  TR/Rogue.kdv.691754.7
   •  TR/Rogue.kdv.691754
   •  TR/Spy.150016.65


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops files
   • Infects files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\%random character string%\%random character string%.exe



It renames the following files:

    •  %infected files%.doc into %infected files%.cod.scr
    •  %infected files%.docx into %infected files%.cod.scr
    •  %infected files%.xls into %infected files%.slx.scr
    •  %infected files%.xlsx into %infected files%.slx.scr



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %APPDATA%\%random character string%\RCX%number%.tmp

– %APPDATA%\%random character string%\%random character string%.exe.lnk
– %APPDATA%\%random character string%\%random character string%.exe.ini This is a non malicious text file that contains information about the program itself.
%malware execution directory%\%executed file%-- This is the original version of the file before infection.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • Load = "%APPDATA%\%random character string%\%random character string%.exe.lnk"

 File infection Infector type:

Prepender - The virus code is added at the begining of the infected file.


Method:

This direct-action infector actively searches for files.

This memory-resistent infector remains active in memory.


Infection length:

Approximately 150.000 Bytes


Ignores files that:

Contain any of the following strings in their path:
   • System Volume Information


The following files are infected:

By file type:
   • .exe
   • .doc
   • .xls
   • .docx
   • .xlsx

 Miscellaneous Event handler:
It creates the following Event handler:
   • SayHellotomyLittleFriend


Anti debugging
It checks if the following program is running:
   • taskmgr.exe


 File details Programming language:
The malware program was written in Delphi.

Description insérée par Andrei Gherman le vendredi 10 août 2012
Description mise à jour par Andrei Gherman le vendredi 10 août 2012

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.