BKDR_QBOT.EL
Backdoor:Win32/Qakbot (Microsoft), Win32/Qbot.BB trojan (Eset), W32.Qakbot (Symantec)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following files:
- %Windows%\Tasks\{random}.job
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
It drops the following copies of itself into the affected system:
- %User Profile%\Application Data\Microsoft\{random}\{random}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It creates the following folders:
- %User Profile%\Application Data\Microsoft\{random}
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}auskmt.pw
- {BLOCKED}theusas.org
- {BLOCKED}cmasn.net
- {BLOCKED}skdfasjdmtf.org
- {BLOCKED}psgrn.com
- {BLOCKED}tmaksjdo.net
- {BLOCKED}aqmi.net
- {BLOCKED}akyat.org
- {BLOCKED}hatdfsaf.net
- {BLOCKED}geyaihudmn.org
- {BLOCKED}ukahdmansgip.org
- {BLOCKED}fdnaetra.net
- http://{BLOCKED}oasset.{BLOCKED}ite.net/Repository/CampaignCreative/Campaign_16474/INSTREAMAD/KRWT0565H_Chili_Pot_Non-New.flv
- {BLOCKED}.{BLOCKED}.135.19:8080
- ajax.{BLOCKED}izzade.com