HOME > VIRUS ALERTS


VIRUS ALERTS

Worm Qakbot

Original issue date: January 06, 2010

It has been reported that an Win32/ Qakbot , an information stealing worm, is spreading widely. It spreads via network shares and opens a backdoor, communicate to an IRC command and control server ,download and installs additional malware in the compromised system.

Qakbot initially spreads via injecting malicious javascripts into compromised webpages which attempt to exploit Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness and Apple QuickTime RTSP URI Remote Buffer Overflow ( CVE-2007-0015 ) vulnerabilities. Once successful, it downloads malicious files into the computer.

Aliases:

Trojan.Spy.Shoe.B (BitDefender) , Win32/Qakbot!generic (CA) , W32/Pinkslipbot (McAfee) ,Trojan-Spy.Win32.Botinok.a (Kaspersky) , Mal/Qbot-B (Sophos) , W32.Qakbot (Symantec) Backdoor.QBot.F (VirusBuster) , Backdoor:Win32/Qbot.A (other),TrojanSpy:Win32/Botinok (other)

Up on execution the worm:

  • Creates a folder at the location %Documents and Settings%\All Users \_qbothome and drops the following files
    • qbotinj.exe,_qbotnti.exe,_qbot.dll,msadvapi32.dll,
      q1.{Number},_qbot.cb,_qbot_installed ,crontab.cb,
      seclog.kcb, seclog.txt, si.cb, si.txt,updates.cb,
      updates\_new. cb, updates\_new.lst,
      {Random}_{Number}.txt ,{Random}_{Number}.cb,
      Random}_{Number}{Number}.cb,{Random}_{Number}
      .kcb,{Random}.kcb

  • Modify a legitimate autorun registry entry to execute when the system starts:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run\"[LEGITIMATE APPLICATION NAME]" = "\"C:\Documents And Settings\All Users\_qbothome\ _qbotinj.exe\" \"C:\Documents And Settings\All Users\ _qbothome\_qbot.dll\" /c [PATH TO LEGITIMATE APPLICATION]"

  • requests to the following websites for internet connectivity, downloading additional malware and uploading stolen information
    • a.r[removed]2.cn
    • c.r[removed]2.cn
    • a.a[removed]v.cn
    • a.n[removed]k.net
    • we[removed]or.biz
    • w1.we[removed]ctor.biz
    • cd[removed]2121cdsfdfd.com
    • ad[removed].co.in

  • The worm attempts to steal the following information from protected storage areas ,Windows address book, Internet account manager ,Active Directory
    • IP Address, DNS Name ,Host Name, Domain Name,
      Country/State/City , Username,Check if Admin
      user, OS Information ,Cookies, IE Password-
      Protected sites(login name and passwords),IE
      AutoComplete forms,MSN ID and Password, Outlook
      Account, Email Address and Passwords

  • Terminate the following processes
    • R&Q.exe ,ccApp.exe, cmd.exe, ctfmon.exe,
      dbgview.exe, far.exe, mirc.exe, mmc.exe,
      msdev.exe, nc.exe, ollydbg.exe,outlook.
      exe photoed, skype

  • Some variants registers themselves as a service with the service name "_qbotinj" and display name "Windows DNS client".

  • creates a mutex of the names such as:
    • ~agbdw28sjhisad3, ~e5d1417.tmp, ~e5d141a.tmp,
      ~e198ac781b.tmp, ~e439125sl.tmp, ~efd9452.tmp,
      _installed

In view of rapid propagation of the Qakbot worm , users are advised to implement the following countermeasures:

  • Search for the malicious files ,registry entries created worm and delete the same
  • Install and maintain an updated anti-virus software at gateway and desktop level
  • Use "Noscript", a Firefox extension which allows only javascript, java ,flash and other plugins to be executed only by trusted websites of users choice.(for firefox users)
  • Use caution when opening attachments and accepting file transfers
  • Disable autorun.
  • Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities
  • Install and maintain Firewall at Desktop level
  • Block the IRC service and related ports ,if not required
  • Use caution when clicking on links to Web pages

References

http://www.symantec.com/security_response/writeup.jsp?docid=
2009-050707-0639-99&tabid=2
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Backdoor%3aWin32%2fQakbot.gen!A
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=BKDR_QAKBOT.AF&VSect=T
http://vil.nai.com/vil/content/v_141235.htm
http://www.symantec.com/connect/blogs/qakbot-data-thief-
unmasked-part-ii
http://www.symantec.com/connect/blogs/qakbot-data-thief-
unmasked-part-i

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003