Quervar Virus’ Detailed Study Released

The Internet security company ESET has reported that a computer malware named Quervar is hitting the headlines, particularly across Holland while continuously wreaking havoc on PCs at many reputable Dutch institutions.

The malware, a kind of PC virus, sneaks into an affected system via mediums such as e-mail; malware installers like through the 'Citadel' a variant of 'Zeus;' as also via its own techniques of duplication. This parasitic virus attacks Microsoft's Excel and Word files, along with .exe files.

Effectively, Quervar looks for file names having ".xls" or ".doc" suffixes, including ".xlsx" and ".docx" the newer file-extensions, and also ".exe." However, it isn't interested in filenames having the "-." extension; a marker it utilizes following the dropping of the legitimate file from amongst all of the contaminated documents added its installation. The virus performs a check for the size of the files as well, and accordingly contaminates just those in the range of 10KB-30MB.

Moreover, it has the capability for filching browser histories as well as interacting with remote command-and-control (C&C) servers. Nonetheless, its chief objective is to construct networks of bot-infected computers as also pulling down more malware online.

However, the thing that most astonished ESET was when its researchers found that the Quervar's coding and design had great likeness to the previously prevalent Induc.C virus. For, they found the same Delphi-based coding for both the viruses. Both had the same self-defense techniques such as quitting when Task Manager became visible, and both contaminated the same targets.

Additionally, the two consisted of encrypted URLs that were hard-coded for sending and receiving messages from their C&Cs (It may be mentioned that virus Quervar, however, has advanced to RC4 from xor 5, add7). Further, the two also connected with avatars when infecting online discussion forums, with extra encrypted URLs certainly inside those avatars. Importantly according to ESET, there is a high probability that the same developers are behind Induc.C and Quervar.

Now, the two viruses also have a striking distinction, that is, while Quervar.C is mainly prevalent in Holland, Induc.C mostly propagates across Slovakia and Russia, the researchers from ESET conclude.

» SPAMfighter News - 8/28/2012