Analysis by: Rhena Inocencio

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via network shares, Dropped by other malware, Downloaded from the Internet

This worm may be downloaded by other malware/grayware/spyware from remote sites.

It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It modifies the Internet Explorer Zone Settings.

It prevents users from visiting antivirus-related websites that contain specific strings.

  TECHNICAL DETAILS

File Size: 225,280 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 25 Jan 2016

Arrival Details

This worm may arrive via network shares.

It may be downloaded by other malware/grayware/spyware from remote sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %Application Data%\Microsoft\{random folder name}\{random file name}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following component file(s):

  • %Application Data%\Microsoft\{random folder}\{random file name}.dll - encrypted component
  • %Application Data%\Microsoft\{random folder}\{random file name}32.dll - encrypted configuration file
  • %Application Data%\Microsoft\{random file name}.wpl - Javascript component detected as JS_QAKBOT.SM1
  • %Windows%\Tasks\{GUID 2}.job (for Windows XP and below) - executes the Javascript component
    %System%\Tasks\{GUID 2} (for Windows Vista and above) - executes the Javascript component
  • %Windows%\Tasks\{GUID 1}.job (for Windows XP and below) - executes the dropped copy
    %System%\Tasks\{GUID 1} (for Windows Vista and above) - executes the dropped copy

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.

It creates the following folders:

  • %Application Data%\Microsoft\{random folder}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It injects codes into the following process(es):

  • explorer.exe

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random key}
ImagePath = "%Application Data%\Microsoft\{random folder}\{random file name}.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random key}
DisplayName = "Remote Procedure Call (RPC) Service"

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random name} = "%Application Data%\{random folder name}\{random filename}.exe"

It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

  • {random filename}.lnk

Propagation

This worm uses the following user name and password to gain access to password-protected shares:

  • Password
  • letmein
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • qwerty
  • iloveyou
  • princess
  • pussy
  • master
  • monkey
  • abc123
  • 99999999
  • 9999999
  • 999999
  • 99999
  • 88888888
  • 8888888
  • 888888
  • 88888
  • 77777777
  • 7777777
  • 777777
  • 77777
  • 66666666
  • 6666666
  • 666666
  • 66666
  • 55555555
  • 5555555
  • 555555
  • 55555
  • 44444444
  • 4444444
  • 444444
  • 44444
  • 33333333
  • 3333333
  • 333333
  • 33333
  • 22222222
  • 2222222
  • 222222
  • 22222
  • 11111111
  • 1111111
  • 111111
  • 11111
  • 00000000
  • 0000000
  • 00000
  • 0987654321
  • 987654321
  • 87654321
  • 7654321
  • 654321
  • 54321
  • super
  • secret
  • server
  • computer
  • owner
  • backup
  • database
  • lotus
  • oracle
  • business
  • manager
  • temporary
  • ihavenopass
  • nothing
  • nopassword
  • nopass
  • Internet
  • internet
  • example
  • sample
  • love123
  • boss123
  • work123
  • home123
  • mypc123
  • temp123
  • test123
  • qwe123
  • pw123
  • root123
  • pass123
  • pass12
  • pass1
  • admin123
  • admin12
  • admin1
  • password123
  • password12
  • password1
  • default
  • foobar
  • foofoo
  • temptemp
  • testtest
  • rootroot
  • zzzzz
  • xxxxx
  • qqqqq
  • aaaaa
  • intranet
  • controller
  • killer
  • games
  • private
  • market
  • coffee
  • cookie
  • forever
  • freedom
  • student
  • account
  • academia
  • files
  • windows
  • monitor
  • unknown
  • anything
  • letitbe
  • domain
  • access
  • money
  • campus
  • explorer
  • exchange
  • customer
  • cluster
  • nobody
  • codeword
  • codename
  • changeme
  • desktop
  • security
  • secure
  • public
  • system
  • shadow
  • office
  • supervisor
  • superuser
  • share
  • adminadmin
  • mypassword
  • mypass
  • Login
  • login
  • passwd
  • zxcvbn
  • zxcvb
  • zxccxz
  • zxcxz
  • qazwsxedc
  • qazwsx
  • q1w2e3
  • qweasdzxc
  • asdfgh
  • asdzxc
  • asddsa
  • asdsa
  • qweasd
  • qweewq
  • qwewq
  • nimda
  • administrator
  • Admin
  • admin
  • a1b2c3
  • 1q2w3e
  • 1234qwer
  • 1234abcd
  • 123asd
  • 123qwe
  • 123abc
  • 123321
  • 12321
  • 123123
  • James
  • Robert
  • Michael
  • William
  • David
  • Richard
  • Charles
  • Joseph
  • Thomas
  • Christopher
  • Daniel
  • Donald
  • George
  • Kenneth
  • Steven
  • Edward
  • Brian
  • Ronald
  • Anthony
  • Kevin
  • Patricia
  • Linda
  • Barbara
  • Elizabeth
  • Jennifer
  • Maria
  • Susan
  • Margaret
  • Dorothy
  • Nancy
  • Karen
  • Betty
  • Helen
  • Sandra
  • Donna
  • Carol
  • james
  • robert
  • michael
  • william
  • david
  • richard
  • charles
  • joseph
  • thomas
  • christopher
  • daniel
  • donald
  • george
  • kenneth
  • steven
  • edward
  • brian
  • ronald
  • anthony
  • kevin
  • patricia
  • linda
  • barbara
  • elizabeth
  • jennifer
  • maria
  • susan
  • margaret
  • dorothy
  • nancy
  • karen
  • betty
  • helen
  • sandra
  • donna
  • carol
  • baseball
  • dragon
  • football
  • mustang
  • superman
  • 696969
  • batman
  • trustno1

Backdoor Routine

This worm executes the following commands from a remote malicious user:

  • Download and execute component files
  • Download configuration and updates
  • Download updated copy of itself
  • Uninstall itself
  • Kill processes
  • Upload files containing stolen information
  • Perform FTP functionalities

It connects to the following websites to send and receive information:

  • http://{BLOCKED}sedkr.biz:443
  • http://{BLOCKED}gqoj.net:443
  • http://{BLOCKED}hhgzheqksxj.biz:443
  • http://{BLOCKED}oltxnorwhtqo.com:443
  • http://{BLOCKED}vsotsibqblhvkm.info:443

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • msdev.exe
  • dbgview.exe
  • ollydbg.exe
  • ctfmon.exe
  • Proxifier.exe

Web Browser Home Page and Search Page Modification

This worm modifies the Internet Explorer Zone Settings.

Information Theft

This worm gathers the following data:

  • GeoIP locations
  • Browser c ookies
  • Flash cookies
  • System information
    • IP Address
    • DNS Name
    • Hostname
    • User Name
    • Domain
    • User Privilege
    • OS version
    • Network Interfaces (address, netmask and status)
  • Software installed
  • FTP, POP3, IMAP, SMTP, HTTPMail, NNTP Passwords
  • Outlook login credentials
  • Private keys from system certificates
  • Login credentials for certain websites
  • Internet sessions

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • www.ip-adress.com

It prevents users from visiting antivirus-related websites that contain the following strings:

  • siteadvisor.com
  • avgthreatlabs.com
  • safeweb.norton.com

NOTES:

Once gained access to network shares, it attempts to drop copies of itself to the following locations:

  • ADMIN$
  • C$

It prevents users from visiting antivirus-related websites that contain the following strings:

  • siteadvisor.com
  • avgthreatlabs.com
  • safeweb.norton.com

This backdoor connects to a certain IRC server using a specific port and joins a channel where it receives commands from a malicious user. It sends the following information to its C&C server:

  • ext_ip
  • dnsname
  • hostname
  • user
  • domain
  • is_admin
  • os
  • qbot_version
  • install_time
  • exe

It does not perform its intended routine if it is executed in the following Virtual Environments:

  • Virtual HD
  • VirtualProtect
  • VirtualBox
  • CWSandbox
  • VMWare

It sends stolen information to the following FTP servers using specific usernames and passwords to login:

  • {BLOCKED}9.{BLOCKED}5.{BLOCKED}4.60 (username: {BLOCKED}ager@{BLOCKED}ton1.com, password: {BLOCKED}S1)
  • {BLOCKED}0.{BLOCKED}7.{BLOCKED}0.203 (username: {BLOCKED}p@{BLOCKED}daily.com, password: {BLOCKED}e6)
  • {BLOCKED}9.{BLOCKED}5.{BLOCKED}4.60 (username: {BLOCKED}ager@{BLOCKED}ton1.com, password: {BLOCKED}cS1)
  • {BLOCKED}2.{BLOCKED}4.{BLOCKED}2.241 (username: {BLOCKED}min@{BLOCKED}ronics.com, password: {BLOCKED}QX)
  • {BLOCKED}0.{BLOCKED}7.{BLOCKED}0.203 (username: {BLOCKED}p@{BLOCKED}daily.com, password: {BLOCKED}Fe6)
  • {BLOCKED}1.{BLOCKED}4.{BLOCKED}8.240 (username: {BLOCKED}p@{BLOCKED}raphy.com, password: {BLOCKED}Xn)

It monitors the browsing activities of the infected computer and logs all information related to websites containing the following strings:

  • ine4biz.com
  • .webcashmgmt.com
  • tmconnectweb
  • moneymanagergps.com
  • ibc.klikbca.com
  • directpay.wellsfargo.com
  • express.53.com
  • ctm.53.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • cpw-achweb.bankofamerica.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com
  • /cmserver/
  • goldleafach.com
  • iachwellsprod.wellsfargo.com
  • achbatchlisting
  • /achupload
  • commercial2.wachovia.com
  • commercial3.wachovia.com
  • commercial4.wachovia.com
  • wc.wachovia.com
  • commercial.wachovia.com
  • wcp.wachovia.com
  • chsec.wellsfargo.com
  • wellsoffice.wellsfargo.com
  • /ibws/
  • /stbcorp/
  • /payments/ach
  • trz.tranzact.org
  • /wiret
  • /payments/ach
  • cbs.firstcitizensonline.com
  • /corpach/
  • scotiaconnect.scotiabank.com
  • webexpress.tdbank.com
  • businessonline.tdbank.com
  • /wcmpw/
  • /wcmpr/
  • /wcmtr/
  • tcfexpressbusiness.com
  • trz.tranzact.org

  SOLUTION

Minimum Scan Engine: 9.800

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Remove malware/grayware files dropped/downloaded by WORM_QAKBOT.SMOT. (Note: Please skip this step if the threats listed below have already been removed.)

    • JS_QAKBOT.SM1

Step 4

Scan your computer with your Trend Micro product and note files detected as WORM_QAKBOT.SMOT

Step 5

Restart in Safe Mode

[ Learn More ]

Step 6

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random key}
    • ImagePath = "%Application Data%\Microsoft\{random folder}\{random file name}.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random key}
    • DisplayName = "Remote Procedure Call (RPC) Service"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {random name} = "%Application Data%\{random folder name}\{random filename}.exe"

Step 7

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Application Data%\Microsoft\{random folder}\{random file name}.dll
  • %Application Data%\Microsoft\{random folder}\{random file name}32.dll
  • %Application Data%\Microsoft\{random file name}.wpl
  • %User Startup%\{random filename}.lnk

Step 8

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Application Data%\Microsoft\{random folder}

Step 9

Deleting Scheduled Tasks

For Windows 2000, Windows XP, and Windows Server 2003:

  1. Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
    System Tools>Scheduled Tasks.
  2. Locate each task that has the following value in the Schedule column:
    • %Application Data%\Microsoft\{random folder}\{random file name}.exe
    • start /MIN C:\windows\system32\cscript.exe //E:javascript %Application Data%\Microsoft\{random folder}\{random file name}.{random exetension}
  3. Right-click on the said file(s) with the aforementioned value.
  4. Click on Properties. In the Run field, check for the following string:
    Cmd /c /rd /s /q C:
  5. If the said string is found, delete the task.

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

  1. Open the Windows Task Scheduler. To do this:
    • On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
    • On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter.
  2. In the left panel, click Task Scheduler Library.
  3. In the upper-middle panel, locate each task that has the value in the Triggers column:
    • %Application Data%\Microsoft\{random folder}\{random file name}.exe
    • start /MIN C:\windows\system32\cscript.exe //E:javascript %Application Data%\Microsoft\{random folder}\{random file name}.{random exetension}
  4. In the lower-middle panel, click the Actions tab. In the Details column, check for the following string:
    Cmd /c /rd /s /q C:
  5. If the said string is found, delete the task..

Step 10

Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_QAKBOT.SMOT. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.