TROJ_QBOT.DB
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan creates registry entries to enable its automatic execution at every system startup.
It deletes itself after execution.
TECHNICAL DETAILS
Installation
This Trojan adds the following folders:
- %User Profile%\Application Data\Microsoft\{Random}
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It drops the following copies of itself into the affected system:
- %User Profile%\Application Data\Microsoft\{Random}\{Random}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It adds the following possibly malicious files or file components:
- %User Profile%\APPLICATION DATA\MICROSOFT\{Random}\{Random}.dll
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random} = "%User Profile%\Application Data\Microsoft\{Random}\{Random}.exe"
It modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ctfmon.exe = "%User Profile%\Application Data\Microsoft\{Random}\{Random}.exe" /c %System%\ctfmon.exe"
(Note: The default value data of the said registry entry is "%System%\ctfmon.exe".)
It drops the following shortcut pointing to its copy in the User Startup folder to enable its automatic execution at every system startup:
- %User Startup%\{Random}.lnk
(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)
Other Details
This Trojan deletes itself after execution.