Home / malwarePDF  

Backdoor:Win32/Qakbot.C


First posted on 09 November 2017.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Qakbot.C.

Explanation :

Backdoor:Win32/Qakbot.C is a trojan backdoor that connects to a remote server, allowing an attacker to access the infected system. This backdoor trojan can perform several actions including steal user information and log user keystrokes.

Installation

Backdoor:Win32/Qakbot.C may be downloaded and installed by other malware. It may be hosted on a number of malicious Web sites as the following file: http:///cgi-bin/jl/jloader.pl?u=u/_qbotinj.exe Upon execution, it creates the mutex '_qbot.*' to ensure that only one instance of itself is currently running. Backdoor:Win32/Qakbot.C creates the following files, which are detected also as Backdoor:Win32/Qakbot.C or as Backdoor:Win32/Qakbot.C!dll:

  • %ALLUSERSPROFILE%\_qbothome\_qbotinj.exe
  • %ALLUSERSPROFILE%\_qbothome\_qbotnti.exe
  • %ALLUSERSPROFILE%\_qbothome\_qbot.dll
  • %ALLUSERSPROFILE%\_qbothome\q1.
where is a random number. The registry is commonly modified to execute one of the backdoor components at each Windows start, for example: Modifies value: ""
With data: ""%ALLUSERSPROFILE%\_qbothome\_qbotinj.exe" "%ALLUSERSPROFILE%\_qbothome\_qbot.dll" /c """
To subkey: HKLM\Microsoft\Windows\CurrentVersion\Run where is the name of a legitimate program and is the legitimate data for that particular program in the registry. This trojan creates a batch script pointing to the installed copy of Win32/Qakbot.C as the following: %USERPROFILE%\Start Menu\Programs\Startup\startup.bat. When Windows starts, the file 'startup.bat' executes Win32/Qakbot.C.

Payload

Allows remote access and control
Backdoor:Win32/Qakbot.C attempts to connect to a remote server to receive command instructions from an attacker. Commands could include any of the following actions:
  • Log keystrokes
  • Gather the host's IP address and name
  • Steal cookies and certificates
  • Monitor browser Favorites and visited URLs
  • Steal passwords from Internet Explorer, MSN Messenger, and Outlook
  • Steal Autocomplete information, if available
Some of the observed remote servers this backdoor connects to are the following:
  • zurnretail.com
  • hostrmeter.com
  • cdcdcdcdc2121cdsfdfd.com
Downloads other malware
Win32/Qakbot.C attempts to download additional files or updates from predefined remote servers. Updates may be requested as password-protected ZIP archives. In the wild, this trojan has been observed to request an update as 'qa.zip' from a malicious Web site. It also downloads configuration files with file names such as the following:
  • _qbot.cb
  • crontab.cb
  • si.cb
  • updates.cb
  • updates1.cb
  • updates98.cb
  • updates_new.cb
  • updates_.cb
where is a random string.

Additional information

Win32/Qakbot.C stores the user account name and server names found on the network in a text file, for example, 'nbl_.txt'. The stolen account information is encrypted and stored in a text file, for example, 'ps_dump_.txt'.

Analysis by Shali Hsieh

Last update 09 November 2017

 

TOP