BKDR_QAKBOT.EOF

This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It sends the information it gathers to remote sites.

Arrival Details

This backdoor may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor injects codes into the following process(es):

• EXPLORER.EXE
• IEXPLORE.EXE

Process Termination

This backdoor terminates the following services if found on the affected system:

• webroot
• agnitum
• ahnlab
• arcabit
• avast
• avg
• avira
• avp
• bitdefender
• bit9
• castlecops
• centralcommand
• clamav
• comodo
• computerassociates
• cpsecure
• defender
• drweb
• emsisoft
• esafe
• eset
• etrust
• ewido
• fortinet
• f-prot
• f-secure
• gdata
• grisoft
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• malware
• mcafee
• microsoft
• networkassociates
• nod32
• norman
• norton
• panda
• pctools
• prevx
• quickheal
• rising
• rootkit
• securecomputing
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• threatexpert
• trendmicro
• virus
• wilderssecurity
• windowsupdate

It terminates the following processes if found running in the affected system's memory:

• R&Q.exe
• ccApp.exe
• cmd.exe
• ctfmon.exe
• dbgview.exe
• far.exe
• mirc.exe
• mmc.exe
• msdev.exe
• nc.exe
• ollydbg.exe
• outlook.exe
• photoed
• skype

Information Theft

This backdoor monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• netconnect.bokf.com
• business-eb.ibanking-services.com
• cashproonline.bankofamerica.com
• /cashplus/
• ebanking-services.com
• /cashman/
• web-cashplus.com
• treas-mgt.frostbank.com
• business-eb.ibanking-services.com
• treasury.pncbank.com
• access.jpmorgan.com
• ktt.key.com
• onlineserv/CM
• premierview.membersunited.org
• directline4biz.com
• onb.webcashmgmt.com
• tmconnectweb
• moneymanagergps.com
• ibc.klikbca.com
• directpay.wellsfargo.com
• express.53.com
• itreasury.regions.com
• itreasurypr.regions.com
• cpw-achweb.bankofamerica.com
• businessaccess.citibank.citigroup.com
• businessonline.huntington.com

It sends the information it gathers to remote sites.

Other Details

This backdoor does the following:

• It requires other components to run properly.
• This backdoor may be a part of a multicomponent malware that belongs to BKDR_QAKBOT family.
• It may create an autostart registry entry to enable its automatic execution at system startup.
• It sends the following information to its C&C server:
  ext_ip
  dnsname
  hostname
  country br>state
  city
  user
  domain
  is_admin
  os
  time
  qbot_version
  install_time
• It may send the gathered information to the following Web sites where it can also download other component files:
  http://{BLOCKED}ver.com.ua/cgi-bin/ss.pl
  http://{BLOCKED}wthewhistle.com/cgi-bin/clientinfo3.pl
  http://www.{BLOCKED}cdc2121cdsfdfd.com
  http://{BLOCKED}n/cgi-bin/jl/jloader.pl
  http://{BLOCKED}cn/cgi-bin/jloader.pl
• Based on its code, it is capable of connecting to a certain IRC server using a certain port and joins a channel where it receives commands from a malicious user.
• Other component files may have the following names:
  crontab.cb
  updates98.cb
  alias_updates.cb
  updates.cb
  updates1.cb
  updates*_new.cb
  alias__qbot.cb
  alias__qbotnti.exe
  _qbotinj.exe
  _qbotnti.exe
  _qbot.dll
  alias__qbot.dll
  alias__qbotinj.exe
  alias__qbot.cb