We have received several reports and inquiries about file infectors PE_QUERVAR.B-O (mother file infector) and PE_QUERVAR.B (infected file). Both are getting some media attention, specifically in Europe. Reports identify infections registering mostly in Netherlands. Its massive spreading maybe explained by a couple of things:
- It infects file that are most commonly found and shared in computers: MS Word (.doc, .docx), MS Excel (.xls, .xlsx), and .EXE (normal executable) files. Once a user opens an infected file, the malware automatically looks for other MS Word/MS Excel/EXE files that it will infect in the user’s computer.
- It targets drives that DO NOT have System Volume Information. These are commonly mapped network drives and USB/removable drives. A shared drive gets the infection spreading pretty fast.
Once files are infected, QUERVAR renames the files and changes the file extension to .SCR, but the file icon remains the same. If your computer view is configured to hide file extensions, you will surely open an infected file and be surprised to see nothing happen. Note that manually renaming the file will not work. Infected files are also encrypted by QUERVAR, adding difficulty to cleaning and restoring. While some are taking this as a sign that this is ransomware, our analysis so far hasn’t shown that to be the case. We’re not sure why these are encrypted but are continuing to research that.
Trend Micro products detect both file infectors via the Smart Scan Pattern 9.311.00. It automatically deletes PE_QUERVAR.B-O. Updates will further be posted in this blog entry.
Leave a reply