BKDR_QAKBOT.EOF

 Analysis by: jasperm

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It sends the information it gathers to remote sites.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

PE

Memory Resident:

No

Initial Samples Received Date:

14 Oct 2010

Arrival Details

This backdoor may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor injects codes into the following process(es):

  • EXPLORER.EXE
  • IEXPLORE.EXE

Process Termination

This backdoor terminates the following services if found on the affected system:

  • webroot
  • agnitum
  • ahnlab
  • arcabit
  • avast
  • avg
  • avira
  • avp
  • bitdefender
  • bit9
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • microsoft
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • wilderssecurity
  • windowsupdate

It terminates the following processes if found running in the affected system's memory:

  • R&Q.exe
  • ccApp.exe
  • cmd.exe
  • ctfmon.exe
  • dbgview.exe
  • far.exe
  • mirc.exe
  • mmc.exe
  • msdev.exe
  • nc.exe
  • ollydbg.exe
  • outlook.exe
  • photoed
  • skype

Information Theft

This backdoor monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

  • netconnect.bokf.com
  • business-eb.ibanking-services.com
  • cashproonline.bankofamerica.com
  • /cashplus/
  • ebanking-services.com
  • /cashman/
  • web-cashplus.com
  • treas-mgt.frostbank.com
  • business-eb.ibanking-services.com
  • treasury.pncbank.com
  • access.jpmorgan.com
  • ktt.key.com
  • onlineserv/CM
  • premierview.membersunited.org
  • directline4biz.com
  • onb.webcashmgmt.com
  • tmconnectweb
  • moneymanagergps.com
  • ibc.klikbca.com
  • directpay.wellsfargo.com
  • express.53.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • cpw-achweb.bankofamerica.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com

It sends the information it gathers to remote sites.

Other Details

This backdoor does the following:

  • It requires other components to run properly.
  • This backdoor may be a part of a multicomponent malware that belongs to BKDR_QAKBOT family.
  • It may create an autostart registry entry to enable its automatic execution at system startup.
  • It sends the following information to its C&C server:
    ext_ip
    dnsname
    hostname
    country br>state
    city
    user
    domain
    is_admin
    os
    time
    qbot_version
    install_time
  • It may send the gathered information to the following Web sites where it can also download other component files:
    http://{BLOCKED}ver.com.ua/cgi-bin/ss.pl
    http://{BLOCKED}wthewhistle.com/cgi-bin/clientinfo3.pl
    http://www.{BLOCKED}cdc2121cdsfdfd.com
    http://{BLOCKED}n/cgi-bin/jl/jloader.pl
    http://{BLOCKED}cn/cgi-bin/jloader.pl
  • Based on its code, it is capable of connecting to a certain IRC server using a certain port and joins a channel where it receives commands from a malicious user.
  • Other component files may have the following names:
    crontab.cb
    updates98.cb
    alias_updates.cb
    updates.cb
    updates1.cb
    updates*_new.cb
    alias__qbot.cb
    alias__qbotnti.exe
    _qbotinj.exe
    _qbotnti.exe
    _qbot.dll
    alias__qbot.dll
    alias__qbotinj.exe
    alias__qbot.cb

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI OPR PATTERN File:

7.539.80

VSAPI OPR PATTERN Date:

14 Oct 2010

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product to delete files detected as BKDR_QAKBOT.EOF. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.