Win32/Quervar [Threat Name] go to Threat

Win32/Quervar.C [Threat Variant Name]

Category	virus
Aliases	Virus:.Win32/Quervar.B (Microsoft)

Win32/Quervar.C is a file infector.

When executed, the virus copies itself into the following location:

The virus may create the following files:

A string with variable content is used instead of %variable1-4% .

The virus creates the following files:

The file is a shortcut to a malicious file.

In order to be executed on every system start, the virus sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "load" = "%appdata%\%variable1%\%variable2%.exe.lnk"

The following Registry entries are created:

[HKEY_CURRENT_USER\Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Vagrearg Frggvatf]
- "TybonyHfreBssyvar" = 0

The virus searches local drives for files with the following file extensions:

The virus infects files by appending the original file into the resources section of the malware binary.

The virus avoids infecting files stored on drives which contain the following folders:

The name of the infected file is changed to one of the following string:

When the infected file is executed, the original file is dropped to temporary file.

The original file is then executed.

The name of the temporary file is one of the following:

A string with variable content is used instead of %variable% .

The virus collects the following information:

The virus quits immediately if any of the following applications is detected:

The virus may create the text file:

The virus acquires data and commands from a remote computer or the Internet.

The virus contains a list of URLs. The HTTP protocol is used.

It can execute the following operations: