Virus Profile: W32/XDocCrypt.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/10/2012
Date Added: 8/10/2012
Origin: N/A
Length: Varies
Type: Virus
Subtype: Win32
DAT Required: 6491
Removal Instructions
   
 
 
   

Description

This is virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Kaspersky - Trojan-Dropper.Win32.Dorifel.hcl
  • Microsoft - Virus:Win32/Quervar.B
  • Norman - W32/BadBreak.A
  • Symantec - Trojan.Exprez.B  

Indication of Infection

Presence of above mentioned files and registry activities.

Methods of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

   

Virus Characteristics

-----------------------Updated on 8 Oct, 2012--------------------------------

Aliases

  • Avira  - TR/Crypt.XPACK.Gen
  • Microsoft - Virus:Win32/Quervar.B
  • Trend Micro - PE_QUERVAR.F  

W32/XDocCrypt.a belongs to a family of malware which encrypts Microsoft Office word, Excel and Executable files present in the system. On successful encryption, the original file will be replaced with the infector followed by encrypted data; and if the original file name has “.doc”/”.docx” then it will be replaced by “U+202Ecod.scr”, if original filename has “.xls/.xlsx” then it will be replaced by “U+202Eslx.scr”,
Note the presence of special character “U+202E” while renaming; this Unicode character caused the remaining of filename to be shown from right to left; while viewing in explorer.exe. This character is supported by default from Windows Vista operating systems onwards. On earlier versions (XP and below) this character is supported only if supported language packs are installed on the system.

Upon execution it tries to connect the below IP Address through remote port 80

  • 82.146.[Removed].95/1.php?00034728&pin=9AE220BC5CD9432E
  •  ye[Removed]90.com
  •  37.230.[Removed].38
  •  mis[Removed]nv12345678.ru
  •  82.146. [Removed].95
  •  pety[Removed]1.fvds.ru
  •  greatn[Removed]a1.ru

Upon execution, it creates files in the below location

  • %AppData%\Microsoft\Office\Recent\Stroke class schedulecod.scr--.doc.LNK
  • : [RemovableDrive]\Newt?cod.scr
  • : [RemovableDrive]\jl?slx.scr
  • %AppData%\01BDE8\03A108.exe
  • %AppData%\01BDE8\03A108.exe.ini
  • AppData%\01BDE8\03A108.exe.lnk (Detected as W32/XDcocCrypt.a!lnk)

The above file is executed upon reboot and “-launcher” is passed as an argument to the executable file.

The infection routine searches for “.doc/.xls/.exe” in the file name and tries to infect it. Malware reads the original file content and encrypts it.
When an infected file is executed, Malware decrypts the encrypted original file and drops it to same folder with original name, adds appropriate extension (“.docx” / “.doc” / “.xlsx” / “.xls” / “.exe”) and will open the dropped original file. The dropped file will have hidden attributes. After some time the dropped original file will be deleted.

And create the following folders to the below location

  • %AppData%\Microsoft\Proof
  • %AppData%\01BDE8

The following registry keys Values has been modified to the System

  • HKey_Users\S-1-5-[Varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
  • HKey_Users\S-1-5-[Varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: " %AppData% \01BDE8\03A108~1.LNK"
  • The above mentioned registry ensures that, the Trojan registers itself with compromised system and executes itself upon every boot.

---------------------------------------------------------------------------------------

"W32/XDocCrypt.a" belongs to a family of malware which encrypts Microsoft Office word, Excel and Executable files present in the system. It encrypts these files using RC4 encryption Algorithm. On successful encryption, the original file will be replaced with the infector followed by encrypted data; and if the original file name has “.doc”/”.docx” then it will be replaced by “U+202Ecod.scr”, if original filename has “.xls/.xlsx” then it will be replaced by “U+202Eslx.scr”,

Note the presence of special character “U+202E” while renaming; this Unicode character caused the remaining of filename to be shown from right to left; while viewing in explorer.exe. This character is supported by default from Windows Vista operating systems onwards. On earlier versions (XP and below) this character is supported only if supported language packs are installed on the system.

Upon execution it tries to connect the below IP Address through remote port 80

  •    87.255.[Removed].229/reso[Removed].com
  •     65.55. [Removed].152
  •     65.54. [Removed].253
  •     65.55. [Removed].16


Upon execution it tries to connect the below IP Address through remote port 443

 109.105. [Removed].5

Upon execution, it creates files in the below location

  •     %Userprofile%\Desktop\CU20HR
  •     %Userprofile%\Local Settings\Temp\0WB1QWN6
  •     %Userprofile%\Local Settings\Temp\3TBB4U97
  •     %Userprofile%\Local Settings\Temp\6W4Q3ALW
  •     %Userprofile%\Local Settings\Temp\7YYJE29K
  •     %Userprofile%\Local Settings\Temp\DQVYV8FR
  •     %Userprofile%\Local Settings\Temp\G8CP8T8Y
  •     %Appdata%\F39NC5\RCX42.tmp
  •     %Appdata%\F39NC5\B76F4U.exe.dat
  •     %Appdata%\Microsoft\CryptnetUrlCache\Content\135BD6A358680A7BF1CCEC7C0172393D
  •     %Appdata%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
  •     %Appdata%\Microsoft\CryptnetUrlCache\MetaData\135BD6A358680A7BF1CCEC7C0172393D
  •     %Appdata%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
  •     %Appdata%\F39NC5\B76F4U.exe
  •     %Appdata%\F39NC5\B76F4U.exe.lnk (detected as W32/XDcocCrypt.a!lnk)


The above file is executed upon reboot and “-launcher” is passed as an argument to the executable file.

The infection routine searches for “.doc/.xls/.exe” in the file name and tries to infect it. Malware reads the original file content and encrypts it using RC4 encryption. On successful encryption, the original file will be replaced with the infector followed by “[+++scarface+++]”, followed by encrypted data.

When an infected file is executed, Malware decrypts the encrypted original file and drops it to same folder with original name, adds appropriate extension (“.docx” / “.doc” / “.xlsx” / “.xls” / “.exe”) and will open the dropped original file. The dropped file will have hidden attributes. After some time the dropped original file will be deleted.
Infector runs in an infinite loop and gets terminated as soon as Task Manager (taskmgr.exe) is opened.

And drops the following folders to the below location

    %AppData%\F39NC5

The following registry keys are added to the system

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\Implemented Categories
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\Implemented Categories\  {40FC6ED5-2438-11CF-A3DB-080036F12502}
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\LocalServer32
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\ProgID
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\Programmable
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\TypeLib
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{690C5D06-2336-11D3-9E70-0020AF88B71B}\VERSION
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acquisit.AqFactory
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acquisit.AqFactory\Clsid

The following registry key values has been added to the system

  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\VERSION\: "1.0"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\TypeLib\: "{GUID}"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\ProgID\: "Acquisit.AqFactory"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\LocalServer32\: "%UserProfile%\Desktop\CU20HR"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\: "Acquisit.AqFactory"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\: "{GUID}"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\TypeLib\Version: "1.0"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{GUID}\: "AqFactory"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\0\win32\: "C:\Documents and Settings\Administrator\Desktop\8c6c\_usvemano.p12.zip\CU20HR"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\HELPDIR\: "%UserProfile%\Desktop\ "
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\FLAGS\: "0"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{GUID}\1.0\: "Acquisit"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acquisit.AqFactory\Clsid\: "{GUID}"
  •     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acquisit.AqFactory\: "Acquisit.AqFactory"
  •     HKEY_CURRENT_USER\Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Vagrearg Frggvatf\TybonyHfreBssyvarType:0
  •     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
  •          ProxyBypass:1
  •          IntranetName:1
  •          UNCAsIntranet:1
  •          ProxyBypass:1
  •          IntranetName:1
  •          UNCAsIntranet:1

 

The following registry keys Values has been modified to the System

  •     HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
  •     HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: "%AppData%\F39NC5\B76F4U~1.LNK"


The above mentioned registry ensures that, the Trojan registers itself with compromised system and executes itself upon every boot.

 

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95