Virus alert : Worm Qakbot

Worm Qakbot
Original issue date: January 06, 2010

It has been reported that an Win32/ Qakbot , an information stealing worm,
is spreading widely. It spreads via network shares and opens a backdoor,
communicate to an IRC command and control server ,download and installs
additional malware in the compromised system.
Qakbot initially spreads via injecting malicious javascripts into
compromised webpages which attempt to exploit Microsoft Internet Explorer
ADODB.Stream Object File Installation Weakness and Apple QuickTime RTSP URI
Remote Buffer Overflow ( CVE-2007-0015 ) vulnerabilities. Once successful,
it downloads malicious files into the computer.
Trojan.Spy.Shoe.B (BitDefender) , Win32/Qakbot!generic (CA) ,
W32/Pinkslipbot (McAfee) ,Trojan-Spy.Win32.Botinok.a (Kaspersky) ,
Mal/Qbot-B (Sophos) , W32.Qakbot (Symantec) Backdoor.QBot.F (VirusBuster) ,
Backdoor:Win32/Qbot.A (other),TrojanSpy:Win32/Botinok (other)
Up on execution the worm:
Creates a folder at the location %Documents and Settings%\All Users
\_qbothome and drops the following files
q1.{Number},_qbot.cb,_qbot_installed ,crontab.cb,
seclog.kcb, seclog.txt, si.cb, si.txt,updates.cb,
updates\_new. cb, updates\_new.lst,
{Random}_{Number}.txt ,{Random}_{Number}.cb,

Modify a legitimate autorun registry entry to execute when the system
CurrentVersion\Run\”[LEGITIMATE APPLICATION NAME]” = “\”C:\Documents And
Settings\All Users\_qbothome\ _qbotinj.exe\” \”C:\Documents And
Settings\All Users\ _qbothome\_qbot.dll\” /c [PATH TO LEGITIMATE

requests to the following websites for internet connectivity, downloading
additional malware and uploading stolen information

The worm attempts to steal the following information from protected storage
areas ,Windows address book, Internet account manager ,Active Directory
IP Address, DNS Name ,Host Name, Domain Name,
Country/State/City , Username,Check if Admin
user, OS Information ,Cookies, IE Password-
Protected sites(login name and passwords),IE
AutoComplete forms,MSN ID and Password, Outlook
Account, Email Address and Passwords

Terminate the following processes
R&Q.exe ,ccApp.exe, cmd.exe, ctfmon.exe,
dbgview.exe, far.exe, mirc.exe, mmc.exe,
msdev.exe, nc.exe, ollydbg.exe,outlook.
exe photoed, skype

Some variants registers themselves as a service with the service name
“_qbotinj” and display name “Windows DNS client”.

creates a mutex of the names such as:
~agbdw28sjhisad3, ~e5d1417.tmp, ~e5d141a.tmp,
~e198ac781b.tmp, ~e439125sl.tmp, ~efd9452.tmp,
In view of rapid propagation of the Qakbot worm , users are advised to
implement the following countermeasures:
Search for the malicious files ,registry entries created worm and delete
the same
Install and maintain an updated anti-virus software at gateway and desktop
Use “Noscript”, a Firefox extension which allows only javascript, java
,flash and other plugins to be executed only by trusted websites of users
choice.(for firefox users)
Use caution when opening attachments and accepting file transfers
Disable autorun.
Keep up-to-date on patches and fixes on the operating system and above
mentioned vulnerabilities
Install and maintain Firewall at Desktop level
Block the IRC service and related ports ,if not required
Use caution when clicking on links to Web pages
The information provided herein is on “as is” basis, without warranty of
any kind.

One thought on “Virus alert : Worm Qakbot

Add yours

  1. If infected and I have been logging into websites by typing my username and password on the keyboard, since I don’t keep passwords in the browser’s memory, should I be worried? Should I go change my passwords in the services I logged into recently?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at

Up ↑

%d bloggers like this: