The parasitic virus Quervar, currently “reported to be causing havoc on computers of several notable Dutch institutions” is delivered according to ESET by both email and online exploit kits such as Citadel. Once on a target computer, it then spreads itself further by finding and infecting both executables and documents on network mapped drives and removeable media.
While it can steal browser histories and communicate with C&Cs, the main purpose appears to for building botnets and downloading additional malware. But what struck ESET most forcibly in its analysis is the design and coding similarities with the earlier virus, Induc.C. Both are coded in Delphi, both are obviously viruses, both have similar infection targets and both have similar self-defense mechanisms (for example, exiting if the Task Manager process is seen).
Both of the viruses also include hard-coded encrypted URLs (although the Quervar virus has progressed from xor 5, add 7 to RC4) for their C&C mechanism; and both point to avatars on discussion forums. The avatars, of course, contain additional encrypted URLs. “It’s very likely that the malware writer is the same in both cases,” concludes ESET.
Infosecurity asked ESET senior research fellow David Harley if there could be any significance in one of the main differences between Quervar.C and Induc.C: the former is predominantly active in The Netherlands, while the latter is predominantly in Russia and Slovakia. “It’s only conjecture,” he said, “but I think Eastern Europe is well in the frame as far as origin is concerned.” Quervar.C, he adds, “seems to be associated in some way with the Citadel botnet, and IIRC Citadel shuts down if it finds a Russian or Ukrainian keyboard on the infected system – and that argues a certain nervousness about upsetting Russian law enforcement.”