Home / malware TrojanDownloader:JS/Qakbot.F
First posted on 27 November 2010.
Source: SecurityHomeAliases :
TrojanDownloader:JS/Qakbot.F is also known as Trojan-Downloader.JS.Agent.frq (Kaspersky), Trj/QbotCfg.A (Panda), JS_DLOADER.OB (Trend Micro).
Explanation :
TrojanDownloader:JS/Qakbot.F is a JavaScript trojan that attempts to download and install Backdoor:Win32/Qakbot.gen!A.
Top
TrojanDownloader:JS/Qakbot.F is a JavaScript trojan that attempts to download and install Backdoor:Win32/Qakbot.gen!A. Installation In the wild, we have observed TrojanDownloader:JS/Qakbot.F being dropped by Backdoor:Win32/Qakbot.gen!A. Payload Downloads and executes arbitrary files TrojanDownloader:JS/Qakbot.F sends download requests to a remote server and saves the files to the user€™s Temporary folder. Afterwards, it attempts to run the executable component. It then attempts to connect to one of the following remote servers, beginning with the first listed, then continuing down the list until it is able to establish a connection: adserv.co.in up01.co.in up02.co.in up03.in up003.com.ua If a connection is successfully established with one of the remote servers listed above, TrojanDownloader:JS/Qakbot.F then attempts to download files using HTTP GET requests that follow the URL formats below, and saves them into the user€™s Temporary folder:http://[remote server]/11 - This download is saved into a .DLL file in the user€™s Temporary folder using a randomly generated filename, for example, %TEMP%\<random alphanumeric characters>.dll http://[remote server]/21 - This download is saved into a .EXE file in the user€™s Temporary folder using a randomly generated filename, for example, %TEMP%\<random alphanumeric characters>.exe Both of these downloaded binaries are detected as Backdoor:Win32/Qakbot.gen!A. After these components are downloaded by TrojanDownloader:JS/Qakbot.F, it tries to execute the .EXE component (%TEMP%\<random alphanumeric characters>.exe) with a "/f" parameter. Additional information Code analysis indicates that TrojanDownloader:JS/Qakbot.F attempts to download the following file, however, due to a bug in the code that may or may not be intentional, this JavaScript component of Qakbot does not proceed with the download. http://<remote server>/a Based on the code, this download is supposed to be saved into a file in the user€™s Temporary folder using a randomly generated filename with the character "a" appended to it, for example, %TEMP%\<random alphanumeric characters>a.
Analysis by Gilou TenebroLast update 27 November 2010
