Date discovered:08/08/2012
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
VDF version:
IVDF version:

 General Method of propagation:
   • Infects files

   •  Kaspersky: Trojan-Dropper.Win32.Dorifel.has
   •  Eset: Win32/Quervar.C

It was previously detected as:
   •  TR/Rogue.kdv.691754.7
   •  TR/Rogue.kdv.691754
   •  TR/Spy.150016.65

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Drops files
   • Infects files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\%random character string%\%random character string%.exe

It renames the following files:

    •  %infected files%.doc into %infected files%.cod.scr
    •  %infected files%.docx into %infected files%.cod.scr
    •  %infected files%.xls into %infected files%.slx.scr
    •  %infected files%.xlsx into %infected files%.slx.scr

The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %APPDATA%\%random character string%\RCX%number%.tmp

– %APPDATA%\%random character string%\%random character string%.exe.lnk
– %APPDATA%\%random character string%\%random character string%.exe.ini This is a non malicious text file that contains information about the program itself.
%malware execution directory%\%executed file%-- This is the original version of the file before infection.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • Load = "%APPDATA%\%random character string%\%random character string%.exe.lnk"

 File infection Infector type:

Prepender - The virus code is added at the begining of the infected file.


This direct-action infector actively searches for files.

This memory-resistent infector remains active in memory.

Infection length:

Approximately 150.000 Bytes

Ignores files that:

Contain any of the following strings in their path:
   • System Volume Information

The following files are infected:

By file type:
   • .exe
   • .doc
   • .xls
   • .docx
   • .xlsx

 Miscellaneous Event handler:
It creates the following Event handler:
   • SayHellotomyLittleFriend

Anti debugging
It checks if the following program is running:
   • taskmgr.exe

 File details Programming language:
The malware program was written in Delphi.

説明の挿入者 Andrei Gherman の 2012年8月10日金曜日
説明の更新者 Andrei Gherman の 2012年8月10日金曜日

戻る . . . .