McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Backdoor:Win32/Qakbot.gen!A (Microsoft)

• BKDR_QAKBOT.AF (TrendMicro)

• W32.Qakbot (Symantec)

Characteristics

Some variants of this bot are found to be using javascript to download

• q1.dll (W32/Pinkslipbot)
• q2l.exe (W32/Pinkslipbot)

This bot also creates a

•  _qbotjfiwrg.job (W32/Pinkslipbot!job)(to run the javascript periodically.)
• icsmg.js (JS/Downloader-AH)

Some variants of this bot drops a copy of itself and its components in the following directory:

• %all users profile%\_qbothome\_qbotinj.exe (W32/Pinkslipbot)
• %all users profile%\_qbothome\_qbot.dll (W32/Pinkslipbot!dll)

The following files are also created:

• %all users profile%\_qbothome\crontab.cb
• %all users profile%\_qbothome\q1.32672
• %all users profile%\_qbothome\updates.cb
• %all users profile%\_qbothome\_qbot.cb
• %all users profile%\_qbothome\_qbot_installed 

(Where %all users profile% is the Windows user profile folder, e.g. C:\Documents and Settings\All Users)

It Modifies existing autostart entries in the registry to automatically execute at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"[original application registry name]" = "[original application registry value]" ""%all users profile%\_qbothome\_qbotinj.exe" "%all users profile%\_qbothome\_qbot.dll" /c "[original application registry value]"

It then injects its dll component into iexplorer.exe.

It connects to the following domain to send information and receive commands.

• a.rtbn[blocked].cn
• zurnre[blocked].com
• w1.webinspect[blocked].biz
• ftp.eltawhee[blocked].com
• www.cdcdcdcdc2121cds[blocked].com

Information sent includes:

• network information
• geographic location
• keystroke logs

Commands received includes malware update and install additional malware in the system.

Symptoms

• Existence of Registry keys files detailed above.
• Unexpected connection to the domains mentioned.

Method of Infection

Some variants of this bot could be installed through exploits from compromised websites.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Backdoor:Win32/Qakbot.gen!A (Microsoft)

• BKDR_QAKBOT.AF (TrendMicro)

• W32.Qakbot (Symantec)

Characteristics

Characteristics -

Some variants of this bot are found to be using javascript to download

• q1.dll (W32/Pinkslipbot)
• q2l.exe (W32/Pinkslipbot)

This bot also creates a

•  _qbotjfiwrg.job (W32/Pinkslipbot!job)(to run the javascript periodically.)
• icsmg.js (JS/Downloader-AH)

Some variants of this bot drops a copy of itself and its components in the following directory:

• %all users profile%\_qbothome\_qbotinj.exe (W32/Pinkslipbot)
• %all users profile%\_qbothome\_qbot.dll (W32/Pinkslipbot!dll)

The following files are also created:

• %all users profile%\_qbothome\crontab.cb
• %all users profile%\_qbothome\q1.32672
• %all users profile%\_qbothome\updates.cb
• %all users profile%\_qbothome\_qbot.cb
• %all users profile%\_qbothome\_qbot_installed 

(Where %all users profile% is the Windows user profile folder, e.g. C:\Documents and Settings\All Users)

It Modifies existing autostart entries in the registry to automatically execute at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"[original application registry name]" = "[original application registry value]" ""%all users profile%\_qbothome\_qbotinj.exe" "%all users profile%\_qbothome\_qbot.dll" /c "[original application registry value]"

It then injects its dll component into iexplorer.exe.

It connects to the following domain to send information and receive commands.

• a.rtbn[blocked].cn
• zurnre[blocked].com
• w1.webinspect[blocked].biz
• ftp.eltawhee[blocked].com
• www.cdcdcdcdc2121cds[blocked].com

Information sent includes:

• network information
• geographic location
• keystroke logs

Commands received includes malware update and install additional malware in the system.

Symptoms

Symptoms -

• Existence of Registry keys files detailed above.
• Unexpected connection to the domains mentioned.

Method of Infection

Method of Infection -

Some variants of this bot could be installed through exploits from compromised websites.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A