TROJ_QAKCFG.RAP

侵入方法

マルウェアは、以下の方法でコンピュータに侵入します。

• Dropped by a variant of the WORM_QAKBOT family

その他

このマルウェアのコードから、マルウェアは、以下の機能を備えています。

• This is the general configuration file that is part of the QAKBOT package. Once decrypted, it typically contains the following information:
  
  • reference to the components and their corresponding random filenames in the system
  • IRC data
  • FTP hosts (upload sites)
  • infection log
• For this particular sample, the decrypted data as well as their description are below:
  
  • Component File References
  • alias__qbot.cb=olgaider.dll -> configuration file
  • alias__qbotinj.exe=olgaiderl.exe -> invokes explorer.exe to inject alias__qbot.dll to IEXPLORE.EXE thus, creating a hidden instance of IEXPLORE.EXE
  • alias__qbot.dll=olgaiderl.dll -> main component
  • alias_seclog.txt=olgaide.dll -> contains the log information
  • alias_si.txt=ordvdkq -> contains the system information
  • alias_ps_dump=azaoul45s -> contains the public storage dump
  • alias_qa.bin=ffgxipu -> package file which contains the components mentioned above
  • IRC Information
  • irc_ssl_server_port=16668
  • irc_pass=Zrmausakl1829997
  • irc_my_nick=wlhfcy485264
  • P2P Information
  • p2p_node_lst=http://{BLOCKED}1.in/cgi-bin/ls1.pl
  • FTP Upload Sites Including Usernames and Passwords
  • ftphost_1=77.221.134.75:agamain:qu5end8k:/.cpanel
  • ftphost_2=ftp.acmeinformation.com:{BLOCKED}s@acmeinformation.com:zubri51241:
  • ftphost_3=ftp.hunterscentral.com:{BLOCKED}er@hunterscentral.com:kolbasa25:
  • ftphost_4=s046.panelboxmanager.com:equipem1:4Y2V64b0dy67:/.last
  • Configuration File Version
  • update_conf_ver=856
  • Directory where the Malware is Installed
  • home_dir=c:\documents and settings\all users\application data\microsoft\olgaiderl
  • Time the Malware is Installed
  • install_time=12.16.46-17/02/2011