Worm Qakbot
http://www.cert-in.org.in/virus/Worm_Qakbot.htm
Original issue date: January 06, 2010

It has been reported that an Win32/ Qakbot , an information stealing worm,
is spreading widely. It spreads via network shares and opens a backdoor,
communicate to an IRC command and control server ,download and installs
additional malware in the compromised system.
Qakbot initially spreads via injecting malicious javascripts into
compromised webpages which attempt to exploit Microsoft Internet Explorer
ADODB.Stream Object File Installation Weakness and Apple QuickTime RTSP URI
Remote Buffer Overflow ( CVE-2007-0015 ) vulnerabilities. Once successful,
it downloads malicious files into the computer.
Aliases:
Trojan.Spy.Shoe.B (BitDefender) , Win32/Qakbot!generic (CA) ,
W32/Pinkslipbot (McAfee) ,Trojan-Spy.Win32.Botinok.a (Kaspersky) ,
Mal/Qbot-B (Sophos) , W32.Qakbot (Symantec) Backdoor.QBot.F (VirusBuster) ,
Backdoor:Win32/Qbot.A (other),TrojanSpy:Win32/Botinok (other)
Up on execution the worm:
Creates a folder at the location %Documents and Settings%\All Users
\_qbothome and drops the following files
qbotinj.exe,_qbotnti.exe,_qbot.dll,msadvapi32.dll,
q1.{Number},_qbot.cb,_qbot_installed ,crontab.cb,
seclog.kcb, seclog.txt, si.cb, si.txt,updates.cb,
updates\_new. cb, updates\_new.lst,
{Random}_{Number}.txt ,{Random}_{Number}.cb,
Random}_{Number}{Number}.cb,{Random}_{Number}
.kcb,{Random}.kcb

Modify a legitimate autorun registry entry to execute when the system
starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\”[LEGITIMATE APPLICATION NAME]” = “\”C:\Documents And
Settings\All Users\_qbothome\ _qbotinj.exe\” \”C:\Documents And
Settings\All Users\ _qbothome\_qbot.dll\” /c [PATH TO LEGITIMATE
APPLICATION]”

requests to the following websites for internet connectivity, downloading
additional malware and uploading stolen information
a.r[removed]2.cn
c.r[removed]2.cn
a.a[removed]v.cn
a.n[removed]k.net
we[removed]or.biz
w1.we[removed]ctor.biz
cd[removed]2121cdsfdfd.com
ad[removed].co.in

The worm attempts to steal the following information from protected storage
areas ,Windows address book, Internet account manager ,Active Directory
IP Address, DNS Name ,Host Name, Domain Name,
Country/State/City , Username,Check if Admin
user, OS Information ,Cookies, IE Password-
Protected sites(login name and passwords),IE
AutoComplete forms,MSN ID and Password, Outlook
Account, Email Address and Passwords

Terminate the following processes
R&Q.exe ,ccApp.exe, cmd.exe, ctfmon.exe,
dbgview.exe, far.exe, mirc.exe, mmc.exe,
msdev.exe, nc.exe, ollydbg.exe,outlook.
exe photoed, skype

Some variants registers themselves as a service with the service name
“_qbotinj” and display name “Windows DNS client”.

creates a mutex of the names such as:
~agbdw28sjhisad3, ~e5d1417.tmp, ~e5d141a.tmp,
~e198ac781b.tmp, ~e439125sl.tmp, ~efd9452.tmp,
_installed
In view of rapid propagation of the Qakbot worm , users are advised to
implement the following countermeasures:
Search for the malicious files ,registry entries created worm and delete
the same
Install and maintain an updated anti-virus software at gateway and desktop
level
Use “Noscript”, a Firefox extension which allows only javascript, java
,flash and other plugins to be executed only by trusted websites of users
choice.(for firefox users)
Use caution when opening attachments and accepting file transfers
Disable autorun.
Keep up-to-date on patches and fixes on the operating system and above
mentioned vulnerabilities
Install and maintain Firewall at Desktop level
Block the IRC service and related ports ,if not required
Use caution when clicking on links to Web pages
References
http://www.symantec.com/security_response/writeup.jsp?docid=
2009-050707-0639-99&tabid=2
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Backdoor%3aWin32%2fQakbot.gen!A
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=BKDR_QAKBOT.AF&VSect=T
http://vil.nai.com/vil/content/v_141235.htm
http://www.symantec.com/connect/blogs/qakbot-data-thief-
unmasked-part-ii
http://www.symantec.com/connect/blogs/qakbot-data-thief-
unmasked-part-i
Disclaimer
The information provided herein is on “as is” basis, without warranty of
any kind.

Advertisements