Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2012
    S M T W T F S
    « Jul   Sep »
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for August 9th, 2012



    Aug9
    12:55 pm (UTC-7)   |    by

    We have received several reports and inquiries about the file infector PE_QUERVAR.B-O and its infected file, PE_QUERVAR.B. Both are getting some media attention, specifically in Europe, where reports have identified infections registering mostly in the Netherlands.

    Its massive spreading may be explained by a couple of things:

    1. It infects files commonly used and shared by users: MS Word (.doc, .docx), MS Excel (.xls, .xlsx), and .EXE (normal executable) files. Once a user opens an infected file, the malware automatically looks for other MS Word/MS Excel/EXE files that it will infect in the user’s computer.
    2. It targets drives that DO NOT have System Volume Information. These are commonly mapped network drives and USB/removable drives. A shared drive gets the infection spreading pretty fast.

    Once files are infected, QUERVAR renames the files and changes the file extension to .SCR, but the file icon remains the same. If the computer view is configured to hide file extensions and the user opens an infected file, nothing will happen and the file will not be opened.

    Note that manually renaming the file will not work. Infected files are also encrypted by QUERVAR, adding difficulty to cleaning and restoring. While some are taking this as a sign that this is ransomware, our analysis so far hasn’t shown that to be the case. We’re not sure why these are encrypted but are continuing to research that.

    Trend Micro products detect both file infectors via the Smart Scan Pattern 9.311.00. It automatically deletes PE_QUERVAR.B-O. Updates will further be posted in this blog entry.

    Update as of 6:28 PM PST

    Trend Micro customers are encouraged to update their patterns to 9.313.00. PE_QUERVAR.B infected files are restored to its usable state by this pattern.

    Update as of August 15, 3:59 PM PST

    We saw reports that Citadel Zeus variants were observed to download QUERVAR. While we were unable to confirm this, we analyzed {BLOCKED}.{BLOCKED}.162.163, the IP address which is said to host QUERVAR and Citadel Zeus. Based on our Smart Protection Network, we found out that it also hosts Hermes (detected by Trend Micro as TROJ_GATAKA.AI), which is downloaded by QUERVAR. This leads us to conclude that certain variants of Citadel ZeuS, Hermes and QUERVAR may be coming from a single threat actor.

    Trend Micro also blocks the related IP addresses.

    Update as of August 16, 10:48 PM PST

    The Hermes malware mentioned in the above update is now detected as BKDR_GATAKA.A.


    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice