Analysis by: Michael Cabel
 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This backdoor saves downloaded files into the said created folder.

  TECHNICAL DETAILS

File Size: Varies
File Type: PE
Memory Resident: Yes
Initial Samples Received Date: 16 Nov 2010
Payload: Others, Compromises system security

Installation

This backdoor creates the following folders:

  • %system Root%\All Users\_qbothome

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Random Name} = ''%System Root%\Documents And Settings\All Users\_qbothome\_qbotinj.exe', '%System Root%\Documents And Settings\All Users\_qbothome\_qbot.dll', /c {Random application name}'

Process Termination

This backdoor terminates processes or services that contain any of the following strings if found running in the affected system's memory:

  • webroot.
  • agnitum
  • ahnlab
  • arcabit
  • avast
  • avg
  • avira
  • avp
  • bitdefender
  • bit9
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • .eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • microsoft
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • wilderssecurity
  • windowsupdate

Download Routine

This backdoor downloads an updated copy of itself from the following website(s):

  • http://{BLOCKED}ver.com.ua/cgi-bin/exhandler4.pl
  • http://{BLOCKED}cn/cgi-bin/jl/jloader.pl?r=3d
  • http://{BLOCKED}cdcdcdc2121cdsfdfd.com
  • http://{BLOCKED}n/cgi-bin/jl/jloader.pl?
  • http://{BLOCKED}n/1
  • http://{BLOCKED}n/cgi-bin/jl/jloader.pl?r=q
  • http://{BLOCKED}ver.com.ua/cgi-bin/ss.pl
  • http://{BLOCKED}wthewhistle.com/cgi-bin/clientinfo3.pl

It saves downloaded files into the said created folder.

Other Details

This backdoor does the following:

  • Sends the following information to inform the remote host of the infection:
    ext_ip
    dnsname
    hostname
    country
    state
    city
    user
    domain
    is_admin
    os
    time
    qbot_version
    install_time
  • Monitors affected users' browsing habits specifically on websites that contains any of the following strings:
    cashproonline.bankofamerica.com
    singlepoint.usbank.com
    netconnect.bokf.com
    business-eb.ibanking-services.com
    cashproonline.bankofamerica.com
    /cashplus/
    ebanking-services.com
    /cashman/
    web-cashplus.com
    treas-mgt.frostbank.com
    business-eb.ibanking-services.com
    treasury.pncbank.com
    access.jpmorgan.com
    ktt.key.com
    onlineserv/CM
    premierview.membersunited.org
    directline4biz.com
    onb.webcashmgmt.com
    tmconnectweb
    moneymanagergps.com
    ibc.klikbca.com
    directpay.wellsfargo.com
    express.53.com
    itreasury.regions.com
    itreasurypr.regions.com
    cpw-achweb.bankofamerica.com
    businessaccess.citibank.citigroup.com
    businessonline.huntington.com
  • Searches for information from the registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
    Which may include the following:
    Outlook Express passwords
    Internet Explorer AutoComplete passwords
    Internet Explorer Password-protected sites
  • Download its configuration file from a certain site that contains FTP or IRC information used for its backdoor routine. It may open random ports where it connect to a remote server through the said FTP or IRC. Once the connection is established, the remote malicious user may then execute commands on the affected system.

NOTES:

The following component files are referenced in its code:

  • alias__qbotinj.exe
  • alias__qbot.cb
  • alias__qbotnti.exe
  • _qbotnti.exe
  • _qbotinj.exe
  • alias__qbot.dll
  • _qbot.dll
  • _qbotinj

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 7.631.80
FIRST VSAPI PATTERN DATE: 17 Nov 2010

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • {Random Name}=''%System Root%\Documents And Settings\All Users\_qbothome\_qbotinj.exe', '%System Root%\Documents And Settings\All Users\_qbothome\_qbot.dll', /c {Random application name}'

Step 4

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. %system Root%\All Users\_qbothome

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_QAKBOT.SME. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.

Related Malware