Win32/Qbot [Threat Name] go to Threat
Win32/Qbot.AY [Threat Variant Name]
Category | trojan |
Size | 410256 B |
Aliases | Backdoor:Win32/Qakbot.gen!C (Microsoft) |
W32.Qakbot (Symantec) |
Short description
Win32/Qbot.AY installs a backdoor that can be controlled remotely.
Installation
When executed, the trojan creates the following folders:
- %commonappdata%\microsoft\%variable1%\
The following files are dropped in the same folder:
- %variable1%.exe
- %variable2%.dll
- %variable3%.dll
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable4%" = "%commonappdata%\microsoft\%variable1%\%variable1%.exe"
A string with variable content is used instead of %variable1-4% .
The trojan may replace existing Registry records referenced by the following Registry entries with the link to malware file:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
Spreading
The trojan may create copies of itself using the following filenames:
- %drive%\%variable%_Documents.exe
- %drive%\%variable%_%existingfile(folder)name%.exe
A string with variable content is used instead of %variable% .
Other information
The trojan contains a backdoor. It can be controlled remotely.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of URLs. The HTTP, FTP, IRC protocol is used.
It can execute the following operations:
- log keystrokes
- run executable files
- terminate running processes
- download files from a remote computer and/or the Internet
- send files to a remote computer
- update itself to a newer version
- send gathered information
- block access to specific websites
- steal information from the Windows clipboard
- insert IFRAME tag(s) into HTML pages with a specific URL pointing to malicious software
- create a scheduled task that repeatedly executes the malicious file
The trojan collects the following information:
- operating system version
- a list of recently visited URLs
- user name
- computer name
- network adapter information
- cookies
- digital certificates
- login user names for certain applications/services
- login passwords for certain applications/services
- the list of installed software
The trojan blocks access to any domains that contain any of the following strings in their name:
- .eset
- agnitum
- ahnlab
- arcabit
- avast
- avg
- avira
- avp
- bit9
- bitdefender
- castlecops
- centralcommand
- clamav
- clearclouddns
- comodo
- computerassociates
- cpsecure
- defender
- drweb
- emsisoft
- esafe
- etrust
- ewido
- fortinet
- f-prot
- f-secure
- gdata
- grisoft
- hacksoft
- hauri
- ikarus
- jotti
- k7computing
- kaspersky
- malware
- mcafee
- networkassociates
- nod32
- norman
- norton
- panda
- pctools
- prevx
- quickheal
- rising
- rootkit
- securecomputing
- sophos
- spamhaus
- spyware
- sunbelt
- symantec
- threatexpert
- trendmicro
- virus
- webroot.
- wilderssecurity
- windowsupdate
The trojan collects sensitive information when the user browses certain web sites.
The following keywords are monitored:
- jpMorgan.com
- onlineserv/cm
- 53.com
- citibank.citigroup.com
- usbank.com
- citizensbankmoneymanagergps.com
- ktt.key.com
- bankofamerica.com
- wachovia.com
- capitalonebank.com
- firstcitizensonline.com
The trojan hooks the following Windows APIs:
- ZwQuerySystemInformation (ntdll.dll)
- GetProcAddress (kernel32.dll)
- FindFirstFileA (kernel32.dll)
- FindFirstFileW (kernel32.dll)
- FindNextFileW (kernel32.dll)
- FindNextFileA (kernel32.dll)
- RegEnumValueA (advapi32.dll)
- RegEnumValueW (advapi32.dll)
- GetClipboardData (user32.dll)
- CharToOemBuffA (user32.dll)
- HttpOpenRequestA (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- InternetCloseHandle (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetReadFileA (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetCloseHandle (wininet.dll)
- connect (ws2_32.dll)
- send (ws2_32.dll)
- WSASend (ws2_32.dll)
- WSAConnect (ws2_32.dll)
- DnsQuery_A (Dnsapi.dll)
- DnsQuery_W (Dnsapi.dll)
- GetTcpTable (Iphlpapi.dll)
- AllocateAndGetTcpExTableFromStack (Iphlpapi.dll)
The trojan may replace existing Registry records referenced by the following Registry entries with the link to malware file:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable4%" = "%commonappdata%\microsoft\%variable1%\%variable1%.exe"
The trojan may create the following files:
- %temp%\%variable%.zbr
A string with variable content is used instead of %variable% .