Analysis by: Cris Nowell Pantanilla
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This backdoor may be dropped by other malware. It arrives as a component bundled with malware/grayware packages. It may be unknowingly downloaded by a user while visiting malicious websites.

It sends the information it gathers to remote sites.

  TECHNICAL DETAILS

File Size: Varies
File Type: DLL
Memory Resident: No
Initial Samples Received Date: 05 Jul 2011

Arrival Details

This backdoor may be dropped by other malware.

It arrives as a component bundled with malware/grayware packages.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor injects codes into the following process(es):

  • EXPLORER.EXE
  • IEXPLORE.EXE

Process Termination

This backdoor terminates the following services if found on the affected system:

  • R&Q.exe
  • ccApp.exe
  • cmd.exe
  • ctfmon.exe
  • dbgview.exe
  • far.exe
  • mirc.exe
  • mmc.exe
  • msdev.exe
  • nc.exe
  • ollydbg.exe
  • outlook.exe
  • photoed
  • skype

Information Theft

This backdoor monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

  • .webcashmgmt.com
  • /achupload
  • /cashman/
  • /cashplus/
  • /cmserver/
  • /corpach
  • /payments/ach
  • /stbcorp/
  • /wires/
  • /wiret
  • access.jpmorgan.com
  • achbatchlisting
  • business-eb.ibanking-services.com
  • businessaccess.citibank.citigroup.com
  • businessbankingcenter.synovus.com
  • businessinternetbanking.synovus.com
  • businessonline.huntington.com
  • cashproonline.bankofamerica.com
  • cbs.firstcitizensonline.com
  • chsec.wellsfargo.com
  • commercial.wachovia.com
  • commercial3.wachovia.com
  • cpw-achweb.bankofamerica.com
  • directline4biz.com
  • directpay.wellsfargo.com
  • each.bremer.com
  • ebanking-services.com
  • express.53.com
  • goldleafach.com
  • iachwellsprod.wellsfargo.com
  • ibc.klikbca.com
  • iris.sovereignbank.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • ktt.key.com
  • moneymanagergps.com
  • netconnect.bokf.com
  • ocm.suntrust.com
  • onlineserv/CM
  • otm.suntrust.com
  • paylinks.cunet.org
  • premierview.membersunited.org
  • securentrycorp.amegybank.com
  • singlepoint.usbank.com
  • tmconnectweb
  • treas-mgt.frostbank.com
  • treasury.pncbank.com
  • trz.tranzact.org
  • tssportal.jpmorgan.com
  • ub-businessonline.blilk.com
  • wc.wachovia.com
  • wcp.wachovia.com
  • web-cashplus.com
  • wellsoffice.wellsfargo.com

It sends the information it gathers to remote sites.

Other Details

Based on analysis of the codes, it has the following capabilities:

  • Connects to a certain IRC server using a certain port and joins a channel where it receives commands from a malicious user. It sends the following information to its C&C server:
    • ext_ip
    • dnsname
    • hostname
    • country
    • state
    • city
    • user
    • domain
    • is_admin
    • os
    • time
    • qbot_version
    • install_time

NOTES:
It prevents user from visiting antivirus related websites containing the following strings:

  • agnitum
  • ahnlab
  • arcabit
  • avast
  • avg
  • avira
  • avp
  • bit9
  • bitdefender
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • microsoft
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • webroot
  • wilderssecurity
  • windowsupdate

It may send the gathered information to the following Web sites where it can also download other component files:

  • {BLOCKED}omo.info
  • {BLOCKED}01.in
  • {BLOCKED}02.in
  • {BLOCKED}img.in
  • {BLOCKED}er.in
  • {BLOCKED}g.com.ua

This backdoor requires other components to run properly. Its other component files may have the following names:

  • _qbot.dll
  • _qbotinj.exe
  • _qbotnti.exe
  • alias__qbot.cb
  • alias__qbot.cb
  • alias__qbot.dll
  • alias__qbotinj.exe
  • alias__qbotnti.exe
  • alias_updates.cb
  • crontab.cb
  • updates*_new.cb
  • updates.cb
  • updates1.cb
  • updates98.cb

It may be a part of a multicomponent malware that belongs to BKDR_QAKBOT family.

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 8.268.03
FIRST VSAPI PATTERN DATE: 05 Jul 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product to delete files detected as BKDR_QBOT.CL. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.