Win32/Qbot [Threat Name] go to Threat
Win32/Qbot.AN [Threat Variant Name]
| Category | trojan |
| Size | 201728 B |
| Aliases | Net-Worm.Win32.Kolab.ucv (Kaspersky) |
| Backdoor:Win32/Qakbot.gen!B (Microsoft) | |
| W32.Qakbot (Symantec) |
Short description
Win32/Qbot.AN installs a backdoor that can be controlled remotely. The file is run-time compressed using UPX .
Installation
When executed, the trojan creates the following folders:
- %commonappdata%\microsoft\%variable1%\
The following files are dropped in the same folder:
- %variable1%.exe (201728 B)
- %variable1%.dll (110080 B)
- %variable2%.dll
- %variable3%.dll
- %variable4%_user
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable5%" = "%commonappdata%\microsoft\%variable1%\%variable1%.exe"
A string with variable content is used instead of %variable1-5% .
The trojan may replace existing Registry records referenced by the following Registry entries with the link to malware file:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
- iexplore.exe
Spreading
The trojan tries to copy itself to the available shared network folders.
The files are stored in one of the following folders:
- \\%remotecomputer%\Admin$\
- \\%remotecomputer%\C$\
Its filename may be one of the following:
- _qbot%variable%.exe
- q%variable%.dll
A string with variable content is used instead of %variable% .
The trojan may create copies of itself in the folder:
- %drive%\RECYCLER\%existingfolder%\
The following filename is used:
- Dc%number%.exe
- Dc%number%.dll
A string with variable content is used instead of %number% .
The trojan may create copies of itself using the following filenames:
- %drive%\%variable%_Documents.exe
- %drive%\%variable%_y.exe
- %drive%\%variable%_%existingfile(folder)name%.exe
- %drive%\%variable%.exe
A string with variable content is used instead of %variable% .
Other information
The trojan contains a backdoor. It can be controlled remotely.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of URLs. The HTTP, FTP, IRC protocol is used.
It can execute the following operations:
- log keystrokes
- run executable files
- terminate running processes
- download files from a remote computer and/or the Internet
- send files to a remote computer
- update itself to a newer version
- send gathered information
- block access to specific websites
- steal information from the Windows clipboard
- insert IFRAME tag(s) into HTML pages with a specific URL pointing to malicious software
- create a scheduled task that repeatedly executes the malicious file
The trojan collects the following information:
- operating system version
- Outlook Express account data
- a list of recently visited URLs
- user name
- computer name
- network adapter information
- cookies
- digital certificates
- login user names for certain applications/services
- login passwords for certain applications/services
- the list of installed software
The trojan blocks access to any domains that contain any of the following strings in their name:
- .eset
- agnitum
- ahnlab
- arcabit
- avast
- avg
- avira
- avp
- bit9
- bitdefender
- castlecops
- centralcommand
- clamav
- comodo
- computerassociates
- cpsecure
- defender
- drweb
- emsisoft
- esafe
- etrust
- ewido
- fortinet
- f-prot
- f-secure
- gdata
- grisoft
- hacksoft
- hauri
- ikarus
- jotti
- k7computing
- kaspersky
- malware
- mcafee
- networkassociates
- nod32
- norman
- norton
- panda
- pctools
- prevx
- quickheal
- rising
- rootkit
- securecomputing
- sophos
- spamhaus
- spyware
- sunbelt
- symantec
- threatexpert
- trendmicro
- virus
- webroot.
- wilderssecurity
- windowsupdate
The trojan collects sensitive information when the user browses certain web sites.
The following keywords are monitored:
- /cashman/
- /cashplus/
- /cmserver/
- access.jpmorgan.com
- businessaccess.citibank.citigroup.com
- business-eb.ibanking-services.com
- business-eb.ibanking-services.com
- businessonline.huntington.com
- cashproonline.bankofamerica.com
- cashproonline.bankofamerica.com
- cpw-achweb.bankofamerica.com
- directline4biz.com
- directpay.wellsfargo.com
- ebanking-services.com
- express.53.com
- ibc.klikbca.com
- itreasury.regions.com
- itreasurypr.regions.com
- ktt.key.com
- moneymanagergps.com
- netconnect.bokf.com
- onb.webcashmgmt.com
- onlineserv/CM
- premierview.membersunited.org
- singlepoint.usbank.com
- tmconnectweb
- treas-mgt.frostbank.com
- treasury.pncbank.com
- web-cashplus.com
The trojan hooks the following Windows APIs:
- NtQuerySystemInformation (ntdll.dll)
- GetProcAddress (kernel32.dll)
- FindFirstFileW (kernel32.dll)
- FindNextFileW (kernel32.dll)
- FindFirstFileA (kernel32.dll)
- FindNextFileA (kernel32.dll)
- RegEnumValueW (advapi32.dll)
- RegEnumValueA (advapi32.dll)
- GetClipboardData (user32.dll)
- CharToOemBuffA (user32.dll)
- HttpOpenRequestA (wininet.dll)
- InternetCloseHandle (wininet.dll)
- HttpSendRequestA (wininet.dll)
- InternetReadFile (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetCloseHandle (wininet.dll)
- HttpSendRequestW (wininet.dll)
- connect (ws2_32.dll)
- send (ws2_32.dll)
- WSASend (ws2_32.dll)
- WSAConnect (ws2_32.dll)
The trojan may replace existing Registry records referenced by the following Registry entries with the link to malware file:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable5%" = "%commonappdata%\microsoft\%variable1%\%variable1%.exe"
The trojan may create the following files:
- %temp%\%variable%sb.exe
- %temp%\%variable%.zbz