McAfee > Theat Center > Virus Detail Page

Overview

This detection is for a malware that has the capability to connect to an IRC command and control server. The malware can then follow commands as instructed by the attacker from this IRC server.

The characteristics of this malware, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

Aliases

• Backdoor.Win32.Qakbot [Ikarus]

• Backdoor:Win32/Qakbot.gen!A [Microsoft]

• Mal/Qbot-B [Sophos]

• W32.Qakbot [Symantec]

Characteristics

When executed, this malware drops a copy of itself or other malicious files in the following locations:

• %AllUsersProfile%\qbothome\_qbotinj.exe
• %AllUsersProfile%\qbothome\_qbotnti.exe
• %AllUsersProfile%\qbothome\_qbot.dll
• %Userprofile%\Start Menu\Programs\Startup\startup.bat

Note: %AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).

The malware creates a mutex with one the following names, to ensure that only one copy of the worm runs on the infected machine:

• ~agbdw28sjhisad3
• ~e5d1417.tmp
• ~e5d141a.tmp
• ~e198ac781b.tmp
• ~e439125sl.tmp
• ~efd9452.tmp

The malware creates the following registry entry, to ensure its execution at system startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
  {Original Value} = "%AllUsersProfile%\qbothome\_qbotinj.exe"
  "%AllUsersProfile%\qbothome\_qbot.dll" /c {Original Data}

Example:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
  cleanfile.exe = "%AllUsersProfile%\qbothome\_qbotinj.exe" "%AllUsersProfile%\qbothome\_qbot.dll" /c C:\Cleanfile.exe

Other variants could create the following registry entry instead:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Runonce

Some variants may also register themselves as a service with the service name "_qbotinj" and display name "Windows DNS client".

Symptoms

The malware attempts to connect to the following site to receive command instructions from an attacker:

• cdcdcdcdc2121cdsfdfd.com

The instructions received could include any of the following actions:

• Get malware install time
• Get malware version
• Get Current/Program Files/Windows directory
• Get IP Address and host name
• Get System Information
• Log keystrokes
• Steal cookies and certificates
• Monitor Favorites and visited URLs
• Steal passwords from Internet Explorer, MSN Messenger, and Outlook
• Steal Autocomplete information
• Download/Upload other files
• Terminate/Execute Files
• Perform FTP commands
• Perform IRC commands
• Remove/Update the copy of itself

This malware may connect to a predefined site that has the format below to download other component files or to update the copy of itself:

• http://[Site]/cgi-bin/jl/jloader.pl?loadfile=q
• http://[Site]/cgi-bin/jl/jloader.pl?loadfile=3d
• http://[Site]/cgi-bin/exhandler3.pl
• http://[Site]/cgi-bin/clientinfo3.pl
• http://[Site]/cgi-bin/jl/jloader.pl?u=u/updates98.cb
• http://[Site]/cgi-bin/jl/jloader.pl?u=u/updates1.cb
• http://[Site]/cgi-bin/jl/jloader.pl?u=u/updates_%s.cb

The updates may be requested as password protected ZIP archives with password "Hello999W0rld777".

The malware could also download other configuration files with filenames such as the following: 

• crontab.cb
• updates.cb
• updates1.cb
• updates<RANDOM>_new.cb
• _qbot.cb

Method of Infection

This variant of the malware does not self-replicate. It spreads manually, under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.

Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection is for a malware that has the capability to connect to an IRC command and control server. The malware can then follow commands as instructed by the attacker from this IRC server.

The characteristics of this malware, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

Aliases

• Backdoor.Win32.Qakbot [Ikarus]

• Backdoor:Win32/Qakbot.gen!A [Microsoft]

• Mal/Qbot-B [Sophos]

• W32.Qakbot [Symantec]

Characteristics

Characteristics -

When executed, this malware drops a copy of itself or other malicious files in the following locations:

• %AllUsersProfile%\qbothome\_qbotinj.exe
• %AllUsersProfile%\qbothome\_qbotnti.exe
• %AllUsersProfile%\qbothome\_qbot.dll
• %Userprofile%\Start Menu\Programs\Startup\startup.bat

Note: %AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).

The malware creates a mutex with one the following names, to ensure that only one copy of the worm runs on the infected machine:

• ~agbdw28sjhisad3
• ~e5d1417.tmp
• ~e5d141a.tmp
• ~e198ac781b.tmp
• ~e439125sl.tmp
• ~efd9452.tmp

The malware creates the following registry entry, to ensure its execution at system startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
  {Original Value} = "%AllUsersProfile%\qbothome\_qbotinj.exe"
  "%AllUsersProfile%\qbothome\_qbot.dll" /c {Original Data}

Example:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
  cleanfile.exe = "%AllUsersProfile%\qbothome\_qbotinj.exe" "%AllUsersProfile%\qbothome\_qbot.dll" /c C:\Cleanfile.exe

Other variants could create the following registry entry instead:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Runonce

Some variants may also register themselves as a service with the service name "_qbotinj" and display name "Windows DNS client".

Symptoms

Symptoms -

The malware attempts to connect to the following site to receive command instructions from an attacker:

• cdcdcdcdc2121cdsfdfd.com

The instructions received could include any of the following actions:

• Get malware install time
• Get malware version
• Get Current/Program Files/Windows directory
• Get IP Address and host name
• Get System Information
• Log keystrokes
• Steal cookies and certificates
• Monitor Favorites and visited URLs
• Steal passwords from Internet Explorer, MSN Messenger, and Outlook
• Steal Autocomplete information
• Download/Upload other files
• Terminate/Execute Files
• Perform FTP commands
• Perform IRC commands
• Remove/Update the copy of itself

This malware may connect to a predefined site that has the format below to download other component files or to update the copy of itself:

• http://[Site]/cgi-bin/jl/jloader.pl?loadfile=q
• http://[Site]/cgi-bin/jl/jloader.pl?loadfile=3d
• http://[Site]/cgi-bin/exhandler3.pl
• http://[Site]/cgi-bin/clientinfo3.pl
• http://[Site]/cgi-bin/jl/jloader.pl?u=u/updates98.cb
• http://[Site]/cgi-bin/jl/jloader.pl?u=u/updates1.cb
• http://[Site]/cgi-bin/jl/jloader.pl?u=u/updates_%s.cb

The updates may be requested as password protected ZIP archives with password "Hello999W0rld777".

The malware could also download other configuration files with filenames such as the following: 

• crontab.cb
• updates.cb
• updates1.cb
• updates<RANDOM>_new.cb
• _qbot.cb

Method of Infection

Method of Infection -

This variant of the malware does not self-replicate. It spreads manually, under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.

Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A