First posted on 09 November 2017.
There are no other names known for Backdoor:Win32/Qakbot.C.
Backdoor:Win32/Qakbot.C is a trojan backdoor that connects to a remote server, allowing an attacker to access the infected system. This backdoor trojan can perform several actions including steal user information and log user keystrokes.
Backdoor:Win32/Qakbot.C may be downloaded and installed by other malware. It may be hosted on a number of malicious Web sites as the following file: http:///cgi-bin/jl/jloader.pl?u=u/_qbotinj.exe Upon execution, it creates the mutex '_qbot.*' to ensure that only one instance of itself is currently running. Backdoor:Win32/Qakbot.C creates the following files, which are detected also as Backdoor:Win32/Qakbot.C or as Backdoor:Win32/Qakbot.C!dll:
where is a random number. The registry is commonly modified to execute one of the backdoor components at each Windows start, for example: Modifies value: ""
With data: ""%ALLUSERSPROFILE%\_qbothome\_qbotinj.exe" "%ALLUSERSPROFILE%\_qbothome\_qbot.dll" /c """
To subkey: HKLM\Microsoft\Windows\CurrentVersion\Run where is the name of a legitimate program and is the legitimate data for that particular program in the registry. This trojan creates a batch script pointing to the installed copy of Win32/Qakbot.C as the following: %USERPROFILE%\Start Menu\Programs\Startup\startup.bat. When Windows starts, the file 'startup.bat' executes Win32/Qakbot.C.
Allows remote access and control
Backdoor:Win32/Qakbot.C attempts to connect to a remote server to receive command instructions from an attacker. Commands could include any of the following actions:
Some of the observed remote servers this backdoor connects to are the following:
- Log keystrokes
- Gather the host's IP address and name
- Steal cookies and certificates
- Monitor browser Favorites and visited URLs
- Steal passwords from Internet Explorer, MSN Messenger, and Outlook
- Steal Autocomplete information, if available
Downloads other malware
Win32/Qakbot.C attempts to download additional files or updates from predefined remote servers. Updates may be requested as password-protected ZIP archives. In the wild, this trojan has been observed to request an update as 'qa.zip' from a malicious Web site. It also downloads configuration files with file names such as the following:
where is a random string.
Win32/Qakbot.C stores the user account name and server names found on the network in a text file, for example, 'nbl_.txt'. The stolen account information is encrypted and stored in a text file, for example, 'ps_dump_.txt'.
Analysis by Shali Hsieh
Last update 09 November 2017