BKDR_QAKBOT.SME

This backdoor saves downloaded files into the said created folder.

Installation

This backdoor creates the following folders:

• %system Root%\All Users\_qbothome

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Random Name} = ''%System Root%\Documents And Settings\All Users\_qbothome\_qbotinj.exe', '%System Root%\Documents And Settings\All Users\_qbothome\_qbot.dll', /c {Random application name}'

Process Termination

This backdoor terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• webroot.
• agnitum
• ahnlab
• arcabit
• avast
• avg
• avira
• avp
• bitdefender
• bit9
• castlecops
• centralcommand
• clamav
• comodo
• computerassociates
• cpsecure
• defender
• drweb
• emsisoft
• esafe
• .eset
• etrust
• ewido
• fortinet
• f-prot
• f-secure
• gdata
• grisoft
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• malware
• mcafee
• microsoft
• networkassociates
• nod32
• norman
• norton
• panda
• pctools
• prevx
• quickheal
• rising
• rootkit
• securecomputing
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• threatexpert
• trendmicro
• virus
• wilderssecurity
• windowsupdate

Download Routine

This backdoor downloads an updated copy of itself from the following website(s):

• http://{BLOCKED}ver.com.ua/cgi-bin/exhandler4.pl
• http://{BLOCKED}cn/cgi-bin/jl/jloader.pl?r=3d
• http://{BLOCKED}cdcdcdc2121cdsfdfd.com
• http://{BLOCKED}n/cgi-bin/jl/jloader.pl?
• http://{BLOCKED}n/1
• http://{BLOCKED}n/cgi-bin/jl/jloader.pl?r=q
• http://{BLOCKED}ver.com.ua/cgi-bin/ss.pl
• http://{BLOCKED}wthewhistle.com/cgi-bin/clientinfo3.pl

It saves downloaded files into the said created folder.

Other Details

This backdoor does the following:

• Sends the following information to inform the remote host of the infection:
  ext_ip
  dnsname
  hostname
  country
  state
  city
  user
  domain
  is_admin
  os
  time
  qbot_version
  install_time
• Monitors affected users' browsing habits specifically on websites that contains any of the following strings:
  cashproonline.bankofamerica.com
  singlepoint.usbank.com
  netconnect.bokf.com
  business-eb.ibanking-services.com
  cashproonline.bankofamerica.com
  /cashplus/
  ebanking-services.com
  /cashman/
  web-cashplus.com
  treas-mgt.frostbank.com
  business-eb.ibanking-services.com
  treasury.pncbank.com
  access.jpmorgan.com
  ktt.key.com
  onlineserv/CM
  premierview.membersunited.org
  directline4biz.com
  onb.webcashmgmt.com
  tmconnectweb
  moneymanagergps.com
  ibc.klikbca.com
  directpay.wellsfargo.com
  express.53.com
  itreasury.regions.com
  itreasurypr.regions.com
  cpw-achweb.bankofamerica.com
  businessaccess.citibank.citigroup.com
  businessonline.huntington.com
• Searches for information from the registry key:
  HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
  Which may include the following:
  Outlook Express passwords
  Internet Explorer AutoComplete passwords
  Internet Explorer Password-protected sites
• Download its configuration file from a certain site that contains FTP or IRC information used for its backdoor routine. It may open random ports where it connect to a remote server through the said FTP or IRC. Once the connection is established, the remote malicious user may then execute commands on the affected system.

NOTES:

The following component files are referenced in its code:

• alias__qbotinj.exe
• alias__qbot.cb
• alias__qbotnti.exe
• _qbotnti.exe
• _qbotinj.exe
• alias__qbot.dll
• _qbot.dll
• _qbotinj