Virus:Win32/Quervar.B is a virus that infects specific Microsoft Office document files and executable files. This virus has been observed contacting remote hosts in order to download files onto your computer.

In the wild, we have observed the virus infecting files with the following file extensions:

• .DOC
• .EXE
• .XLS

System changes

The following system changes may indicate the presence of this malware:

• The presence of the following file:
  
  %AppData%\<random>\<random>.exe (for example, "%AppData%\KA7YQ0\A1S09G.exe")
  
  
• The presence of the following registry modification:
  
  In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
  Sets value: "Load"
  With data: "<dropped LNK file>"

Installation

Virus:Win32/Quervar.B drops the virus body as the following:

%AppData%\<random>\<random>.exe (for example, "%AppData%\KA7YQ0\A1S09G.exe")

Note: %AppData% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".

The virus also drops a shortcut file as <dropped virus body path>.lnk, for example, "%AppData%>\KA7YQ0\A1S09G.exe.lnk" which points to the virus body with the following parameter:

"-launcher"

Virus:Win32/Quervar.B makes the following changes to the registry to ensure its execution each time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "<dropped LNK file>"

It will then launch the dropped LNK file immediately.

Virus:Win32/Quervar.B creates an event "SayHellotomyLittleFriend" and an atom "BreakingBad" to make sure that only one payload is running at any given time.

Spreads via...

File infection

The virus tries to infect files with the following extensions:

• .DOC
• .EXE
• .XLS

It does this by encrypting the original file, and prepending itself before it on all drives (except unknown devices), CDROMs, and drives that have a "System Volume Information" folder in the root.

An infected DOC file will be named as "<original file name><unicode right-to-left mark>cod.scr", and infected XLS files will be named as "<original file name><unicode right-to-left mark>slx.scr".

When the infected file runs, the original file is dropped and opened under the same directory with a random name, for example "Z3NTZ8". This randomly named file will have "hidden" and "system" attributes.

Payload

Contacts remote hosts

Virus:Win32/Quervar.B contacts remote hosts to report infection and retrieve commands; in the wild, we have observed it contacting the following server for this purpose:

hxxp://reslove-dns.com/bl/in.php

Note: At the time of analysis, this server returned empty commands.

The virus may contact a remote host for any number of purposes, commonly to:

• Update itself
• Download additional files

Terminates system processes

Virus:Win32/Quervar.B attempts to close Windows Task Manager periodically.

Analysis by Shawn Wang

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

• Microsoft Security Essentials
• Microsoft Safety Scanner
• Microsoft Windows Malicious Software Removal Tool

Additional remediation instructions for Virus:Win32/Quervar.B

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following articles:

• Enabling Task Manager:
• For Windows Vista
• For Windows XP
• Changing file associations:
  • For Windows 7
  • For Windows Vista
  • For Windows XP
• Viewing hidden and/or system files:
  • For Windows 7
  • For Windows Vista
  • For Windows XP