Win32/Qbot [Threat Name] go to Threat

Win32/Qbot.AU [Threat Variant Name]

Category trojan
Size 345704 B
Detection created Jan 10, 2011
Signature database version 5776
Aliases Net-Worm.Win32.Kolab.ucv (Kaspersky)
  Backdoor:Win32/Qakbot.gen!B (Microsoft)
  W32.Qakbot (Symantec)
Short description

Win32/Qbot.AU installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan creates the following folders:

  • %commonappdata%\­microsoft\­%variable1%\­

The following files are dropped in the same folder:

  • %variable1%.exe
  • %variable2%.dll
  • %variable3%.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable4%" = "%commonappdata%\­microsoft\­%variable1%\­%variable1%.exe"

A string with variable content is used instead of %variable1-4% .


The trojan may replace existing Registry records referenced by the following Registry entries with the link to malware file:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Spreading

The trojan may create copies of itself using the following filenames:

  • %drive%\­%variable%_Documents.exe
  • %drive%\­%variable%_%existingfile(folder)name%.exe

A string with variable content is used instead of %variable% .

Other information

The trojan contains a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP, FTP, IRC protocol is used.


It can execute the following operations:

  • log keystrokes
  • run executable files
  • terminate running processes
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • update itself to a newer version
  • send gathered information
  • block access to specific websites
  • steal information from the Windows clipboard
  • insert IFRAME tag(s) into HTML pages with a specific URL pointing to malicious software
  • create a scheduled task that repeatedly executes the malicious file

The trojan collects the following information:

  • operating system version
  • a list of recently visited URLs
  • user name
  • computer name
  • network adapter information
  • cookies
  • digital certificates
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • the list of installed software

The trojan blocks access to any domains that contain any of the following strings in their name:

  • .eset
  • agnitum
  • ahnlab
  • arcabit
  • avast
  • avg
  • avira
  • avp
  • bit9
  • bitdefender
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • webroot.
  • wilderssecurity
  • windowsupdate

The trojan collects sensitive information when the user browses certain web sites.


The following keywords are monitored:

  • jpMorgan.com
  • onlineserv/cm
  • 53.com
  • citibank.citigroup.com
  • usbank.com
  • citizensbankmoneymanagergps.com
  • ktt.key.com
  • bankofamerica.com
  • wachovia.com
  • capitalonebank.com
  • firstcitizensonline.com

The trojan hooks the following Windows APIs:

  • ZwQuerySystemInformation (ntdll.dll)
  • GetProcAddress (kernel32.dll)
  • FindFirstFileA (kernel32.dll)
  • FindFirstFileW (kernel32.dll)
  • FindNextFileW (kernel32.dll)
  • FindNextFileA (kernel32.dll)
  • RegEnumValueW (advapi32.dll)
  • GetClipboardData (user32.dll)
  • CharToOemBuffA (user32.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetReadFileA (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • connect (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSAConnect (ws2_32.dll)
  • DnsQuery_A (Dnsapi.dll)
  • DnsQuery_W (Dnsapi.dll)
  • GetTcpTable (Iphlpapi.dll)
  • AllocateAndGetTcpExTableFromStack (Iphlpapi.dll)

The trojan may replace existing Registry records referenced by the following Registry entries with the link to malware file:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable4%" = "%commonappdata%\­microsoft\­%variable1%\­%variable1%.exe"

The trojan may create the following files:

  • %temp%\­%variable%.zbz

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.