Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    Three of the most notorious malware families we’ve seen proliferate as of late have now been seen working together in a single attack.

    In the past months we saw QUERVAR, ransomware, and SIREFEF/ZACCESS grow rampant in certain regions. QUERVAR was seen widespread in the North America, EMEA, and ANZ regions, ransomware malware family has been prominent in EMEA, while SIREFEF or ZACCESS has been rampant in NABU.

    Now, we’re seeing attacks that involve all three malware families.

    After a widespread infection of QUERVAR in August this year, QUERVAR infections totally stopped in the first half of September. However, as shown in the Trend Micro™ Smart Protection Network™ data below, infections returned after a few days.

    These are detected as PE_QUEARVAR.A-O, PE_QUEARVAR.B-O, PE_QUEARVAR.C-O, and PE_QUEARVAR.D-O.

    Click for larger view

    In September 27, we saw a new QUERVAR variant with a new structure, different from the previously detected variants but with the same infection routines. These included infecting .EXE and Microsoft Excel and Word files and then renaming them with a .SCR extension. However, the newer variants came with a new payload: downloading ransomware and ZACCESS variants.

    The new QUERVAR variants are detected as PE_QUERVAR.E-O. PE_QUERVAR.E-O accesses the following malicious files below to download ransomware variants detected as TROJ_RANSOM.CMY and HTML_RANSOM.CMY, and the ZACCESS variant TROJ_SIREFEF.SZP.

    • http://{BLOCKED}ewidea1.ru/1.php?000102E0&pin=16FB2534B0B2D6E3
    • http://www.{BLOCKED}coservisi.com/test/php/way.php?000076A8&pin=16FB2534B0B2D6E3
    • http://{BLOCKED}y90.com/c/osnovnoj2.exe?00022F68 – detected as TROJ_RANSOM.CMY
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/get.php?id=2 – detected as HTML_RANSOM.CMY
    • http://{BLOCKED}lhgkjl.un {BLOCKED}ilesexchnges.su/landings/first/US/NL_files/buttons.css
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/jquery.min.js
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/FBI.png
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/keyboard.js
    • http://{BLOCKED}lil.ru/33797470/2a06754.50664748/3052832ace10d474336096b36fbd49f05f190.exe?{random characters} – detected as TROJ_SIREFEF.SZP

    The ransomware TROJ_RANSOM.CMY hijacks the infected system and displays the image below. It tricks users into thinking that it is a legitimate FBI warning that enforces copyright laws. The ransomware then locks the computer and prevents users from accessing it. The fake FBI warning also tells users that they are under surveillance by displaying the user’s IP address.

    Click for larger view

    On the other hand, SIREFEF/ZACCESS variants are known rootkit malware, which hides system modifications from users. In particular, the downloaded file (detected as TROJ_SIREFEF.SZP) patches services.exe in both 32bit and 64bit platform to prevent detection. It also disables/terminates Windows Security-related services. This technique is further documented in our previous entry ZACCESS/SIREFEF Arrives with New Infection Technique.

    Trend Micro users need not worry as they are protected via the Smart Protection Network™. In particular, file reputation services blocks and deletes related malicious files, while the web reputation services blocks access to the sites where PE_QUERVAR.E-O downloads its malicious payload.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Jocelyn Racoma

      We
      put {BLOCKED} to prevent readers from accidentally clicking the links and visit
      the malicious site. We suggest to view the page source and search for the word
      BLOCKED, underneath the URLs blocked where you can view the whole URL list.

    • Jocelyn Racoma

      Make sure to update your
      product with the latest pattern to be able to detect the sample. You can also
      visit the Virus Encyclopedia entry of PE_QUERVAR,E-O, TROJ_RANSOM.CMY, and HTML_RANSOM.CMY to check on the
      manual removal instruction on how to remove the malware.

    • DJRiddle

      So how do I get rid of it? this article is not very helpful and I have this virus and
      Trend is not detecting or removing it. HELP!

    • Joe Evans

      To create a rule on our firewall to block these URLs, can we just take out the word “BLOCKED}” to create the rule?



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice