The Significance of QUERVAR

Written by: Ryan Angelo Certeza

The most notorious file infectors of 2012—SALITY, XPAJ, MUSTAN, and QUERVAR—have different routines that make removal and containment a challenge. While their main routine—infecting files is by and large the main reason why they so easily spread—they also spread via various means that allow them to infect thousands of machines.

QUERVAR particularly infected hundreds of computers in August 2012. While QUERVAR is not polymorphic in nature, it is still difficult to remove from machines due to its complex encryption and file-renaming capabilities. Apart from easily spreading, recent variants of QUERVAR also come bundled with ransomware and ZEROACCESS/SIREFEF malware, making them more dangerous than ever.

How does QUERVAR get into your computer?

QUERVAR’s exact origin is unknown. In our continuing investigation and analysis of QUERVAR variants, most were downloaded from sites that host possible Java or PDF exploits
Trend Micro first spotted a QUERVAR infection (PE_QUERVAR.A) in May 2012.

How does QUERVAR spread to other computers?

Shared drives that contain .DOC, .DOCX, .XLS, .XLSX, and .EXE files can easily get infected by QUERVAR. PE_QUERVAR.B-O particularly spreads via shared drives or those that do not have a System Volume Information folder.

PE_QUERVAR.B-O finds shared drives and checks if these have files with the above-mentioned extension names. It then infects the files it finds.

Plugging the shared drive to another computer and opening an infected file spreads the threat.

How do I know if my computer has been infected by QUERVAR?

To know if your computer has been infected, look out for the following indicators:
  • Presence of the file, MOR.EXE, which drops or starts the installation of several QUERVAR variants
  • Inability to open Microsoft Excel and Word files
  • Modified Microsoft Word and Excel file names to {original file name}xcod.scr or {original file name}xslx.scr, for example
  • Inability to access the Windows Task Manager

What makes QUERVAR infections dangerous?

PE_QUERVAR.E-O is capable of downloading a ZEROACCESS/SIREFEF malware and a ransomware to an already-infected machine. The ransomware comes in the guise of a fake FBI warning that leads to the hijacking of an infected computer.

The ZEROACCESS/SIREFEF malware meanwhile deletes several Windows registry information related to Windows Update and Windows Security Center services and drops other malware to the already-infected computer. This does two more things to your computer:
  • Exposes your computer to more malware
  • Causes Windows Updates to stop working, leaving your computer vulnerable to exploits
  • Disables the Windows Security Center service, causing prompts when changes to your computer are made not to appear (This allows malware to easily perform malicious routines without your knowledge.)
PE_QUERVAR.B-O was also found on sites that host ZeuS and Hermes malware. It is also possible to get ZeuS and Hermes malware, known data stealers, into your computer apart from QUERVAR.

My computer is already infected by QUERVAR. What do I do?

Running a Trend Micro solution on your infected computer will remove QUERVAR. It will also do the following:

1. Remove traces of the encryption QUERVAR used to infect a file.
2. Return the file’s original name. Note that simply renaming the file by right clicking and hitting Rename does not work. The infection first has to be cleaned.

Trend Micro product users are protected from QUERVAR and its components with the aid of the Trend Micro™ Smart Protection Network™. Trend Micro solutions prevent and remedy QUERVAR and related (ransomware and ZEROACCESS/SIREFEF) infections. They also block access to sites that host QUERVAR and related malware.