Virus Characteristics
-----------------------Updated on 8 Oct, 2012--------------------------------
Aliases
- Avira - TR/Crypt.XPACK.Gen
- Microsoft - Virus:Win32/Quervar.B
- Trend Micro - PE_QUERVAR.F
W32/XDocCrypt.a belongs to a family of malware which encrypts Microsoft Office word, Excel and Executable files present in the system. On successful encryption, the original file will be replaced with the infector followed by encrypted data; and if the original file name has “.doc”/”.docx” then it will be replaced by “U+202Ecod.scr”, if original filename has “.xls/.xlsx” then it will be replaced by “U+202Eslx.scr”,
Note the presence of special character “U+202E” while renaming; this Unicode character caused the remaining of filename to be shown from right to left; while viewing in explorer.exe. This character is supported by default from Windows Vista operating systems onwards. On earlier versions (XP and below) this character is supported only if supported language packs are installed on the system.
Upon execution it tries to connect the below IP Address through remote port 80
- 82.146.[Removed].95/1.php?00034728&pin=9AE220BC5CD9432E
- ye[Removed]90.com
- 37.230.[Removed].38
- mis[Removed]nv12345678.ru
- 82.146. [Removed].95
- pety[Removed]1.fvds.ru
- greatn[Removed]a1.ru
Upon execution, it creates files in the below location
- %AppData%\Microsoft\Office\Recent\Stroke class schedulecod.scr--.doc.LNK
- : [RemovableDrive]\Newt?cod.scr
- : [RemovableDrive]\jl?slx.scr
- %AppData%\01BDE8\03A108.exe
- %AppData%\01BDE8\03A108.exe.ini
- AppData%\01BDE8\03A108.exe.lnk (Detected as W32/XDcocCrypt.a!lnk)
The above file is executed upon reboot and “-launcher” is passed as an argument to the executable file.
The infection routine searches for “.doc/.xls/.exe” in the file name and tries to infect it. Malware reads the original file content and encrypts it.
When an infected file is executed, Malware decrypts the encrypted original file and drops it to same folder with original name, adds appropriate extension (“.docx” / “.doc” / “.xlsx” / “.xls” / “.exe”) and will open the dropped original file. The dropped file will have hidden attributes. After some time the dropped original file will be deleted.
And create the following folders to the below location
- %AppData%\Microsoft\Proof
- %AppData%\01BDE8
The following registry keys Values has been modified to the System
- HKey_Users\S-1-5-[Varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
- HKey_Users\S-1-5-[Varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: " %AppData% \01BDE8\03A108~1.LNK"
- The above mentioned registry ensures that, the Trojan registers itself with compromised system and executes itself upon every boot.
---------------------------------------------------------------------------------------
"W32/XDocCrypt.a" belongs to a family of malware which encrypts Microsoft Office word, Excel and Executable files present in the system. It encrypts these files using RC4 encryption Algorithm. On successful encryption, the original file will be replaced with the infector followed by encrypted data; and if the original file name has “.doc”/”.docx” then it will be replaced by “U+202Ecod.scr”, if original filename has “.xls/.xlsx” then it will be replaced by “U+202Eslx.scr”,
Note the presence of special character “U+202E” while renaming; this Unicode character caused the remaining of filename to be shown from right to left; while viewing in explorer.exe. This character is supported by default from Windows Vista operating systems onwards. On earlier versions (XP and below) this character is supported only if supported language packs are installed on the system.
Upon execution it tries to connect the below IP Address through remote port 80
- 87.255.[Removed].229/reso[Removed].com
- 65.55. [Removed].152
- 65.54. [Removed].253
- 65.55. [Removed].16
Upon execution it tries to connect the below IP Address through remote port 443
109.105. [Removed].5
Upon execution, it creates files in the below location
- %Userprofile%\Desktop\CU20HR
- %Userprofile%\Local Settings\Temp\0WB1QWN6
- %Userprofile%\Local Settings\Temp\3TBB4U97
- %Userprofile%\Local Settings\Temp\6W4Q3ALW
- %Userprofile%\Local Settings\Temp\7YYJE29K
- %Userprofile%\Local Settings\Temp\DQVYV8FR
- %Userprofile%\Local Settings\Temp\G8CP8T8Y
- %Appdata%\F39NC5\RCX42.tmp
- %Appdata%\F39NC5\B76F4U.exe.dat
- %Appdata%\Microsoft\CryptnetUrlCache\Content\135BD6A358680A7BF1CCEC7C0172393D
- %Appdata%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
- %Appdata%\Microsoft\CryptnetUrlCache\MetaData\135BD6A358680A7BF1CCEC7C0172393D
- %Appdata%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
- %Appdata%\F39NC5\B76F4U.exe
- %Appdata%\F39NC5\B76F4U.exe.lnk (detected as W32/XDcocCrypt.a!lnk)
The above file is executed upon reboot and “-launcher” is passed as an argument to the executable file.
The infection routine searches for “.doc/.xls/.exe” in the file name and tries to infect it. Malware reads the original file content and encrypts it using RC4 encryption. On successful encryption, the original file will be replaced with the infector followed by “[+++scarface+++]”, followed by encrypted data.
When an infected file is executed, Malware decrypts the encrypted original file and drops it to same folder with original name, adds appropriate extension (“.docx” / “.doc” / “.xlsx” / “.xls” / “.exe”) and will open the dropped original file. The dropped file will have hidden attributes. After some time the dropped original file will be deleted.
Infector runs in an infinite loop and gets terminated as soon as Task Manager (taskmgr.exe) is opened.
And drops the following folders to the below location
%AppData%\F39NC5
The following registry keys are added to the system
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\Implemented Categories
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\Implemented Categories\ {40FC6ED5-2438-11CF-A3DB-080036F12502}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\LocalServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\ProgID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\Programmable
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\TypeLib
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\VERSION
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acquisit.AqFactory
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acquisit.AqFactory\Clsid
The following registry key values has been added to the system
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\VERSION\: "1.0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\TypeLib\: "{GUID}"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ProgID\: "Acquisit.AqFactory"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\LocalServer32\: "%UserProfile%\Desktop\CU20HR"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\: "Acquisit.AqFactory"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "AqFactory"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32\: "C:\Documents and Settings\Administrator\Desktop\8c6c\_usvemano.p12.zip\CU20HR"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR\: "%UserProfile%\Desktop\ "
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS\: "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\: "Acquisit"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acquisit.AqFactory\Clsid\: "{GUID}"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acquisit.AqFactory\: "Acquisit.AqFactory"
- HKEY_CURRENT_USER\Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Vagrearg Frggvatf\TybonyHfreBssyvarType:0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
- ProxyBypass:1
- IntranetName:1
- UNCAsIntranet:1
- ProxyBypass:1
- IntranetName:1
- UNCAsIntranet:1
The following registry keys Values has been modified to the System
- HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
- HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: "%AppData%\F39NC5\B76F4U~1.LNK"
The above mentioned registry ensures that, the Trojan registers itself with compromised system and executes itself upon every boot.