Dorifel/Quervar: the support scammer’s secret weapon
(Publication) Google search: [1]
Dorifel/Quervar: the support scammer’s secret weapon | |
---|---|
Botnet | Dorifel, XDocCrypt, Quervar |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 13 aug2012 |
Editor/Conference | ESET |
Link | http://blog.eset.com/2012/08/11/dorifelquervar-the-support-scammers-secret-weapon blog.eset.com (blog.eset.com Archive copy) |
Author | David Harley |
Type |
Abstract
“ The malware that some people are calling Dorifel or XDocCrypt (ESET detects it as Win32/Quervar.C and has a cleaner for it here) is having enormous impact right now, mostly in the Netherlands. It has some very interesting characteristics – it infects documents (and true executables) by appending them RC4-encrypted to the body of a new executable – and there’ll be a technical analysis by Róbert Lipovský here shortly.
However, apart from its intrinsic technical interest, it seems that it’s being used for scamming purposes that even its authors may not have anticipated. Martijn Grooten, of Virus Bulletin, tells me that it has attracted the attention of telephone support scammers, who are using it to convince potential victims in the Netherlands that they need to let the scammer ‘clean’ or ‘protect’ their systems. For a price, as always…
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1095, editor = {ESET}, author = {David Harley}, title = {Dorifel/Quervar: the support scammer’s secret weapon}, date = {13}, month = Aug, year = {2012}, howpublished = {\url{http://blog.eset.com/2012/08/11/dorifelquervar-the-support-scammers-secret-weapon blog.eset.com}}, }