Encyclopedia entry: Trojan:Win32/Quervar.A - Learn more about malware - Microsoft Malware Protection Center

Microsoft


	Trojan:Win32/Quervar.A (?) Encyclopedia entry Updated: May 23, 2012 \| Published: May 18, 2012 Aliases Not available Alert Level (?) Severe Antimalware protection details Microsoft recommends that you download the latest definitions to get protected. On this page Summary\|Symptoms\|Technical Information\|Prevention\|Recovery Summary Virus:Win32/Quervar.A is a virus that infects specific Microsoft Office document files and executable files. Top Symptoms System changes The following system changes may indicate the presence of this malware: Some of your document files may be missing The presence of the following file: %windir%\xpsp2res.dll Top Technical Information (Analysis) Virus:Win32/Quervar.A is a virus that infects specific Microsoft Office document files and executable files. Installation When an infected file is run, it drops and runs the original host file in the current folder as a hidden file with a randomly generated name to make it appear as if it is not infected. Virus:Win32/Quervar.A then drops copies of itself as the following: %AppData%\Microsoft\<random characters>.exe %windir%\xpsp2res.dll Spreads via... File infection Virus:Win32/Quervar.A infects the following file types: .doc .docx .exe It searches for files to infect in all logical drives except those labeled as: CDROM drives Unknown drives Virus:Win32/Quervar.A infects files by creating copies of itself with the original host file encrypted at the end. If the host file is a .doc or .docx file, the infected file is named using the following format: <original host file name>xcod.scr If the host file is an .exe file, the infected file name is the same as the host file. The host files are then deleted, so only the infected files remain. Payload Connects to certain servers Virus:Win32/Quervar.A connects to any of the following servers: avtoclub.eu vnk.sk 1nlreality.sk forum.perfect-privacy.com Terminates system processes Virus:Win32/Quervar.A may prevent Task Manager from running. Analysis by Francis Allan Tan Seng Top Prevention Take these steps to help prevent infection on your computer. Top Recovery To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat: Microsoft Security Essentials Microsoft Safety Scanner For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/. Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.