TSPY_QAKBOT
Qakbot, Qbot
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
QAKBOT malware are worms,Trojans, and backdoors that are known to spread through network shares, software vulnerabilities, or removable drives. Some of its variants may be downloaded from malicious sites serving malware. QAKBOT was first spotted in 2007.
Its main function is to steal information. The information it steals are primarily related to finance-based institutions. It also steals system information, user names and passwords saved in cookies and browsers, and credentials used in instant messaging applications. Its information theft routine is done via monitoring browsing activities and monitoring of files related to browsers and instant messaging programs.
Apart from its information theft routines, some QAKBOT variants may connect to particular Internet Relay Chat (IRC) servers to receive and perform commands on affected computers. When running on a system, some QAKBOT malware are capable of blocking access to antivirus-related sites. It may also hide its components as part of its rootkit capabilities.
TECHNICAL DETAILS
Installation
This spyware drops the following files:
- %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.dll
- %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name1}.dll
- %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name2}.dll
- %System Root%\Documents and Settings\All Users\Microsoft\{random folder name}\{random file name}.dll
- %System Root%\Documents and Settings\All Users\Microsoft\{random folder name}\{random file name1}.dll
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It drops the following copies of itself into the affected system:
- %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe
- %System Root%\Documents and Settings\All Users\Microsoft\{random folder name}\{random file name}.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
- %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}
- %System Root%\Documents and Settings\All Users\Microsoft\{random folder name}
- %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\u
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%System Root%\Documents and Settings\All Users\Microsoft\{random characters}\{random characters}.exe"
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{legitimate application} = ""%System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe" /c {path and file name of legitimate application}"
(Note: The default value data of the said registry entry is {path and file name of legitimate application}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{legitimate application} = ""%System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe" /c {path and file name of legitimate application}"
(Note: The default value data of the said registry entry is {path and file name of legitimate application}.)
Other Details
This spyware connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.134.75
- {BLOCKED}v.co.in
- {BLOCKED}1.in
- {BLOCKED}omo.info
- {BLOCKED}1.in
- {BLOCKED}2.in
- ftp.{BLOCKED}formation.com
- ftp.{BLOCKED}central.com
- {BLOCKED}ver.com.ua
- s046.{BLOCKED}xmanager.com
- {BLOCKED}te.info
- {BLOCKED}3.com.ua