Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    12:55 pm (UTC-7)   |    by

    We have received several reports and inquiries about the file infector PE_QUERVAR.B-O and its infected file, PE_QUERVAR.B. Both are getting some media attention, specifically in Europe, where reports have identified infections registering mostly in the Netherlands.

    Its massive spreading may be explained by a couple of things:

    1. It infects files commonly used and shared by users: MS Word (.doc, .docx), MS Excel (.xls, .xlsx), and .EXE (normal executable) files. Once a user opens an infected file, the malware automatically looks for other MS Word/MS Excel/EXE files that it will infect in the user’s computer.
    2. It targets drives that DO NOT have System Volume Information. These are commonly mapped network drives and USB/removable drives. A shared drive gets the infection spreading pretty fast.

    Once files are infected, QUERVAR renames the files and changes the file extension to .SCR, but the file icon remains the same. If the computer view is configured to hide file extensions and the user opens an infected file, nothing will happen and the file will not be opened.

    Note that manually renaming the file will not work. Infected files are also encrypted by QUERVAR, adding difficulty to cleaning and restoring. While some are taking this as a sign that this is ransomware, our analysis so far hasn’t shown that to be the case. We’re not sure why these are encrypted but are continuing to research that.

    Trend Micro products detect both file infectors via the Smart Scan Pattern 9.311.00. It automatically deletes PE_QUERVAR.B-O. Updates will further be posted in this blog entry.

    Update as of 6:28 PM PST

    Trend Micro customers are encouraged to update their patterns to 9.313.00. PE_QUERVAR.B infected files are restored to its usable state by this pattern.

    Update as of August 15, 3:59 PM PST

    We saw reports that Citadel Zeus variants were observed to download QUERVAR. While we were unable to confirm this, we analyzed {BLOCKED}.{BLOCKED}.162.163, the IP address which is said to host QUERVAR and Citadel Zeus. Based on our Smart Protection Network, we found out that it also hosts Hermes (detected by Trend Micro as TROJ_GATAKA.AI), which is downloaded by QUERVAR. This leads us to conclude that certain variants of Citadel ZeuS, Hermes and QUERVAR may be coming from a single threat actor.

    Trend Micro also blocks the related IP addresses.

    Update as of August 16, 10:48 PM PST

    The Hermes malware mentioned in the above update is now detected as BKDR_GATAKA.A.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • smith

      no special cleaner for this malware?

    • noname

      Detecting this virus is ok, removing the effects is great, being late at the party is acceptable. But you don’t address the source of the problem, you leave the infection source undetected. Also the new virus called Hermes is still undetected by you…


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice