WORM_QAKBOT.SMOT

This worm may be downloaded by other malware/grayware/spyware from remote sites.

It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It modifies the Internet Explorer Zone Settings.

It prevents users from visiting antivirus-related websites that contain specific strings.

Arrival Details

This worm may arrive via network shares.

It may be downloaded by other malware/grayware/spyware from remote sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %Application Data%\Microsoft\{random folder name}\{random file name}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following component file(s):

• %Application Data%\Microsoft\{random folder}\{random file name}.dll - encrypted component
• %Application Data%\Microsoft\{random folder}\{random file name}32.dll - encrypted configuration file
• %Application Data%\Microsoft\{random file name}.wpl - Javascript component detected as JS_QAKBOT.SM1
• %Windows%\Tasks\{GUID 2}.job (for Windows XP and below) - executes the Javascript component
  %System%\Tasks\{GUID 2} (for Windows Vista and above) - executes the Javascript component
• %Windows%\Tasks\{GUID 1}.job (for Windows XP and below) - executes the dropped copy
  %System%\Tasks\{GUID 1} (for Windows Vista and above) - executes the dropped copy

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.

It creates the following folders:

• %Application Data%\Microsoft\{random folder}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random key}
ImagePath = "%Application Data%\Microsoft\{random folder}\{random file name}.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random key}
DisplayName = "Remote Procedure Call (RPC) Service"

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%Application Data%\{random folder name}\{random filename}.exe"

It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

• {random filename}.lnk

Propagation

This worm uses the following user name and password to gain access to password-protected shares:

• Password
• letmein
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 1234567890
• qwerty
• iloveyou
• princess
• pussy
• master
• monkey
• abc123
• 99999999
• 9999999
• 999999
• 99999
• 88888888
• 8888888
• 888888
• 88888
• 77777777
• 7777777
• 777777
• 77777
• 66666666
• 6666666
• 666666
• 66666
• 55555555
• 5555555
• 555555
• 55555
• 44444444
• 4444444
• 444444
• 44444
• 33333333
• 3333333
• 333333
• 33333
• 22222222
• 2222222
• 222222
• 22222
• 11111111
• 1111111
• 111111
• 11111
• 00000000
• 0000000
• 00000
• 0987654321
• 987654321
• 87654321
• 7654321
• 654321
• 54321
• super
• secret
• server
• computer
• owner
• backup
• database
• lotus
• oracle
• business
• manager
• temporary
• ihavenopass
• nothing
• nopassword
• nopass
• Internet
• internet
• example
• sample
• love123
• boss123
• work123
• home123
• mypc123
• temp123
• test123
• qwe123
• pw123
• root123
• pass123
• pass12
• pass1
• admin123
• admin12
• admin1
• password123
• password12
• password1
• default
• foobar
• foofoo
• temptemp
• testtest
• rootroot
• zzzzz
• xxxxx
• qqqqq
• aaaaa
• intranet
• controller
• killer
• games
• private
• market
• coffee
• cookie
• forever
• freedom
• student
• account
• academia
• files
• windows
• monitor
• unknown
• anything
• letitbe
• domain
• access
• money
• campus
• explorer
• exchange
• customer
• cluster
• nobody
• codeword
• codename
• changeme
• desktop
• security
• secure
• public
• system
• shadow
• office
• supervisor
• superuser
• share
• adminadmin
• mypassword
• mypass
• Login
• login
• passwd
• zxcvbn
• zxcvb
• zxccxz
• zxcxz
• qazwsxedc
• qazwsx
• q1w2e3
• qweasdzxc
• asdfgh
• asdzxc
• asddsa
• asdsa
• qweasd
• qweewq
• qwewq
• nimda
• administrator
• Admin
• admin
• a1b2c3
• 1q2w3e
• 1234qwer
• 1234abcd
• 123asd
• 123qwe
• 123abc
• 123321
• 12321
• 123123
• James
• Robert
• Michael
• William
• David
• Richard
• Charles
• Joseph
• Thomas
• Christopher
• Daniel
• Donald
• George
• Kenneth
• Steven
• Edward
• Brian
• Ronald
• Anthony
• Kevin
• Patricia
• Linda
• Barbara
• Elizabeth
• Jennifer
• Maria
• Susan
• Margaret
• Dorothy
• Nancy
• Karen
• Betty
• Helen
• Sandra
• Donna
• Carol
• james
• robert
• michael
• william
• david
• richard
• charles
• joseph
• thomas
• christopher
• daniel
• donald
• george
• kenneth
• steven
• edward
• brian
• ronald
• anthony
• kevin
• patricia
• linda
• barbara
• elizabeth
• jennifer
• maria
• susan
• margaret
• dorothy
• nancy
• karen
• betty
• helen
• sandra
• donna
• carol
• baseball
• dragon
• football
• mustang
• superman
• 696969
• batman
• trustno1

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Download and execute component files
• Download configuration and updates
• Download updated copy of itself
• Uninstall itself
• Kill processes
• Upload files containing stolen information
• Perform FTP functionalities

It connects to the following websites to send and receive information:

• http://{BLOCKED}sedkr.biz:443
• http://{BLOCKED}gqoj.net:443
• http://{BLOCKED}hhgzheqksxj.biz:443
• http://{BLOCKED}oltxnorwhtqo.com:443
• http://{BLOCKED}vsotsibqblhvkm.info:443

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• msdev.exe
• dbgview.exe
• ollydbg.exe
• ctfmon.exe
• Proxifier.exe

Web Browser Home Page and Search Page Modification

This worm modifies the Internet Explorer Zone Settings.

Information Theft

This worm gathers the following data:

• GeoIP locations
• Browser c ookies
• Flash cookies
• System information
  • IP Address
  • DNS Name
  • Hostname
  • User Name
  • Domain
  • User Privilege
  • OS version
  • Network Interfaces (address, netmask and status)
• Software installed
• FTP, POP3, IMAP, SMTP, HTTPMail, NNTP Passwords
• Outlook login credentials
• Private keys from system certificates
• Login credentials for certain websites
• Internet sessions

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

• www.ip-adress.com

It prevents users from visiting antivirus-related websites that contain the following strings:

• siteadvisor.com
• avgthreatlabs.com
• safeweb.norton.com

NOTES:

Once gained access to network shares, it attempts to drop copies of itself to the following locations:

• ADMIN$
• C$

It prevents users from visiting antivirus-related websites that contain the following strings:

• siteadvisor.com
• avgthreatlabs.com
• safeweb.norton.com

This backdoor connects to a certain IRC server using a specific port and joins a channel where it receives commands from a malicious user. It sends the following information to its C&C server:

• ext_ip
• dnsname
• hostname
• user
• domain
• is_admin
• os
• qbot_version
• install_time
• exe

It does not perform its intended routine if it is executed in the following Virtual Environments:

• Virtual HD
• VirtualProtect
• VirtualBox
• CWSandbox
• VMWare

It sends stolen information to the following FTP servers using specific usernames and passwords to login:

• {BLOCKED}9.{BLOCKED}5.{BLOCKED}4.60 (username: {BLOCKED}ager@{BLOCKED}ton1.com, password: {BLOCKED}S1)
• {BLOCKED}0.{BLOCKED}7.{BLOCKED}0.203 (username: {BLOCKED}p@{BLOCKED}daily.com, password: {BLOCKED}e6)
• {BLOCKED}9.{BLOCKED}5.{BLOCKED}4.60 (username: {BLOCKED}ager@{BLOCKED}ton1.com, password: {BLOCKED}cS1)
• {BLOCKED}2.{BLOCKED}4.{BLOCKED}2.241 (username: {BLOCKED}min@{BLOCKED}ronics.com, password: {BLOCKED}QX)
• {BLOCKED}0.{BLOCKED}7.{BLOCKED}0.203 (username: {BLOCKED}p@{BLOCKED}daily.com, password: {BLOCKED}Fe6)
• {BLOCKED}1.{BLOCKED}4.{BLOCKED}8.240 (username: {BLOCKED}p@{BLOCKED}raphy.com, password: {BLOCKED}Xn)

It monitors the browsing activities of the infected computer and logs all information related to websites containing the following strings:

• ine4biz.com
• .webcashmgmt.com
• tmconnectweb
• moneymanagergps.com
• ibc.klikbca.com
• directpay.wellsfargo.com
• express.53.com
• ctm.53.com
• itreasury.regions.com
• itreasurypr.regions.com
• cpw-achweb.bankofamerica.com
• businessaccess.citibank.citigroup.com
• businessonline.huntington.com
• /cmserver/
• goldleafach.com
• iachwellsprod.wellsfargo.com
• achbatchlisting
• /achupload
• commercial2.wachovia.com
• commercial3.wachovia.com
• commercial4.wachovia.com
• wc.wachovia.com
• commercial.wachovia.com
• wcp.wachovia.com
• chsec.wellsfargo.com
• wellsoffice.wellsfargo.com
• /ibws/
• /stbcorp/
• /payments/ach
• trz.tranzact.org
• /wiret
• /payments/ach
• cbs.firstcitizensonline.com
• /corpach/
• scotiaconnect.scotiabank.com
• webexpress.tdbank.com
• businessonline.tdbank.com
• /wcmpw/
• /wcmpr/
• /wcmtr/
• tcfexpressbusiness.com
• trz.tranzact.org