TROJ_QBOT.TX

This Trojan may be dropped by other malware.

It requires its main component to successfully perform its intended routine.

Arrival Details

This Trojan may be dropped by the following malware:

• BKDR_QBOT family

Installation

This Trojan adds the following mutexes to ensure that only one of its copies runs at any one time:

• ~e198ac781b.tmp
• ~e439125sl.tmp

Other System Modifications

This Trojan adds the following registry entries:

HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{default} =

HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\Runonce
{default} =

Other Details

This Trojan requires its main component to successfully perform its intended routine.

It does the following:

• It exports backdoor functionalities used by its main component.
• It exports the following functions:
  notify C&C server on the malware's installation status and bot information (version, install date and time)
  search for specific directories
  download updated copy of the malware
  download other components
  download and execute other possibly malicious files
  create scheduled tasks
  get system information
  get IP address
  uninstall itself
  create/terminate processes
  collect internet certificates
  perform FTP and IRC commands
• It terminates processes with any of the following strings in it:
  msdev.exe
  dbgview.exe
  mirc.exe
  ollydbg.exe
  ccApp.exe
  skype
  R&Q.exe
  photoed
  outlook.exe
  mmc.exe
  ctfmon.exe
• It prevents users from visiting sites w/ any of the following strings in address bar:
  webroot
  agnitum
  ahnlab
  arcabit
  avast
  avg
  avira
  avp
  bitdefender
  bit9
  castlecops
  centralcommand
  clamav
  comodo
  computerassociates
  cpsecure
  defender
  drweb
  emsisoft
  esafe
  eset
  etrust
  ewido
  fortinet
  f-prot
  f-secure
  gdata
  grisoft
  hacksoft
  hauri
  ikarus
  jotti
  k7computing
  kaspersky
  malware
  mcafee
  microsoft
  networkassociates
  nod32
  norman
  norton
  panda
  pctools
  prevx
  quickheal
  rising
  rootkit
  securecomputing
  sophos
  spamhaus
  spyware
  sunbelt
  symantec
  threatexpert
  trendmicro
  virus
  wilderssecurity
  windowsupdate
• It opens and execute commands in following processes:
  cmd.exe
  far.exe
  nc.exe
• It steals information whenever an infected user visits a website with any of the following strings in its address:
  cashproonline.bankofamerica.com
  /cashplus/
  ebanking-services.com
  /cashman/
  web-cashplus.com
  treas-mgt.frostbank.com
  business-eb.ibanking-services.com
  treasury.pncbank.com
  access.jpmorgan.com
  ktt.key.com
  onlineserv/CM
  premierview.membersunited.org
  directline4biz.com
  onb.webcashmgmt.com
  tmconnectweb
  moneymanagergps.com
  ibc.klikbca.com
  directpay.wellsfargo.com
  express.53.com
  itreasury.regions.com
  itreasurypr.regions.com
  cpw-achweb.bankofamerica.com
  businessaccess.citibank.citigroup.com
  businessonline.huntington.com
• It connects to the following sites to send and receive information, download updates, and download other possibly malicious files:
  http://{BLOCKED}wthewhistle.com/cgi-bin/clientinfo3.pl
  http://www.{BLOCKED}cdc2121cdsfdfd.com
  http://{BLOCKED}wthewhistle.com/cgi-bin/clientinfo3.pl
  http://{BLOCKED}rver.com.ua/cgi-bin/exhandler4.pl
  http://{BLOCKED}2.cn/cgi-bin/jl/jloader.pl?r=3d
  http://{BLOCKED}ver.com.ua/cgi-bin/ss.pl
  {BLOCKED}ver.com.ua:31666
  {BLOCKED}v.co.in
  {BLOCKED}04.cn
  {BLOCKED}01.co.in
  {BLOCKED}2.co.in
  {BLOCKED}3.in
  {BLOCKED}03.com.ua
• It steals sensitive information such as username and and passwords from the following:
  Windows Address Book
  Protected Storage
  Internet Account Manager
  Active Directory - Bigfoot, VeriSign, and WhoWhere
• It may also connect to the following sites:
  search.msn.com
  .hotbar.com