WORM_QAKBOT.QRZ

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It retrieves specific information from the affected system.

It prevents users from visiting antivirus-related websites that contain specific strings.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder}\{random name}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following files:

• %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder}\{random name}.dll - encrypted configuration file detected as MAL_QAKCFG1

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following component file(s):

• %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder}\{random name}.dll - also detected as WORM_QAKBOT.QRZ

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It is injected into the following processes running in memory:

• iexplore.exe
• explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{legitimate application} = "%System Root%\Documents and Settings\All Users\Application Data\Microsoft\{random folder name}\{random file name}.exe /c {path and file name of legitimate application}"

(Note: The default value data of the said registry entry is {path and file name of legitimate application}.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {random name}_Documents.exe

Download Routine

This worm connects to the following URL(s) to download its component file(s):

• {BLOCKED}omo.info
• {BLOCKED}01.in
• {BLOCKED}02.in
• {BLOCKED}te.info
• {BLOCKED}03.com.ua

Information Theft

This worm retrieves the following information from the affected system:

• Account name
• City
• Country
• IE password protected sites
• IE user names and passwords
• IP address
• MSN user name and password
• Operating system
• Outlook user name and password

Other Details

This worm prevents users from visiting antivirus-related websites that contain the following strings:

• .eset
• agnitum
• ahnlab
• arcabit
• avast
• avg
• avira
• avp
• bit9
• bitdefender
• castlecops
• centralcommand
• clamav
• comodo
• computerassociates
• cpsecure
• defender
• drweb
• emsisoft
• esafe
• etrust
• ewido
• f-prot
• f-secure
• fortinet
• gdata
• grisoft
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• malware
• mcafee
• networkassociates
• nod32
• norman
• norton
• panda
• pctools
• prevx
• quickheal
• rising
• rootkit
• securecomputing
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• threatexpert
• trendmicro
• virus
• webroot.
• wilderssecurity
• windowsupdate

NOTES:

This worm's configuration file contains the following information:

• FTP hosts (upload sites)
• Infection log
• IRC data
• Reference to the components and their corresponding random file names on the system

It is capable of monitoring the browsing activities of the infected computer and logs all information related to finance-related websites containing the following strings:

• /achupload
• /cashman/
• /cashplus/
• /cmserver/
• /payments/ach
• /payments/ach
• /stbcorp/
• /wiret
• access.jpmorgan.com
• achbatchlisting
• business-eb.ibanking-services.com
• business-eb.ibanking-services.com
• businessaccess.citibank.citigroup.com
• businessonline.huntington.com
• cashproonline.bankofamerica.com
• cashproonline.bankofamerica.com
• cbs.firstcitizensonline.com
• chars01.ocm.suntrust.com
• chsec.wellsfargo.com
• commercial.wachovia.com
• commercial3.wachovia.com
• cpw-achweb.bankofamerica.com
• directline4biz.com
• directpay.wellsfargo.com
• ebanking-services.com
• express.53.com
• goldleafach.com
• iachwellsprod.wellsfargo.com
• ibc.klikbca.com
• itreasury.regions.com
• itreasurypr.regions.com
• ktt.key.com
• moneymanagergps.com
• netconnect.bokf.com
• onlineserv/CM
• premierview.membersunited.org
• singlepoint.usbank.com
• tmconnectweb
• treas-mgt.frostbank.com
• treasury.pncbank.com
• trz.tranzact.org
• tssportal.jpmorgan.com
• ub-businessonline.blilk.com
• wc.wachovia.com
• wcp.wachovia.com
• web-cashplus.com
• webcashmgmt.com

It does not continue its routine if its host process is any of the following:

• ctfmon.exe
• dbgview.exe
• mirc.exe
• msdev.exe
• ollydbg.exe

Rootkit Capabilities

This worm hides files, processes, and/or registry entries, including the following:

• _qbotinj.exe
• _qbotnti.exe
• iexplore.exe

It may also connect to IRC servers and receive commands from a remote user.