Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Virus:W32/Quervar.A
Date discovered:08/08/2012
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
VDF version:7.11.39.130 - Friday, August 10, 2012
IVDF version:7.11.39.130 - Friday, August 10, 2012

 General Method of propagation:
    Infects files


Aliases:
   •  Kaspersky: Trojan-Dropper.Win32.Dorifel.has
   •  Eset: Win32/Quervar.C

It was previously detected as:
     TR/Rogue.kdv.691754.7
     TR/Rogue.kdv.691754
     TR/Spy.150016.65


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Drops files
Infects files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\%random character string%\%random character string%.exe



It renames the following files:

      %infected files%.doc into %infected files%.cod.scr
      %infected files%.docx into %infected files%.cod.scr
      %infected files%.xls into %infected files%.slx.scr
      %infected files%.xlsx into %infected files%.slx.scr



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %APPDATA%\%random character string%\RCX%number%.tmp

%APPDATA%\%random character string%\%random character string%.exe.lnk
%APPDATA%\%random character string%\%random character string%.exe.ini This is a non malicious text file that contains information about the program itself.
%malware execution directory%\%executed file%-- This is the original version of the file before infection.

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • Load = "%APPDATA%\%random character string%\%random character string%.exe.lnk"

 File infection Infector type:

Prepender - The virus code is added at the begining of the infected file.


Method:

This direct-action infector actively searches for files.

This memory-resistent infector remains active in memory.


Infection length:

Approximately 150.000 Bytes


Ignores files that:

Contain any of the following strings in their path:
   • System Volume Information


The following files are infected:

By file type:
   • .exe
   • .doc
   • .xls
   • .docx
   • .xlsx

 Miscellaneous Event handler:
It creates the following Event handler:
   • SayHellotomyLittleFriend


Anti debugging
It checks if the following program is running:
   • taskmgr.exe


 File details Programming language:
The malware program was written in Delphi.

Descrizione inserita da Andrei Gherman su venerdì 10 agosto 2012
Descrizione aggiornata da Andrei Gherman su venerdì 10 agosto 2012

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.