McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

When executed, this malware drops a copy of itself or other malicious files in the following locations:

• %AllUsersProfile%\qbothome\_qbotinj.exe
• %AllUsersProfile%\qbothome\_qbotnti.exe
• %AllUsersProfile%\qbothome\_qbot.dll
• %Userprofile%\Start Menu\Programs\Startup\startup.bat

Note: %AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).

The malware creates a mutex with one the following names, to ensure that only one copy of the worm runs on the infected machine:

•  ~agbdw28sjhisad3
• ~e5d1417.tmp
•  ~e5d141a.tmp
•  ~e198ac781b.tmp
•  ~e439125sl.tmp
•  ~efd9452.tmp

The malware creates the following registry entry, to ensure its execution at system startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
        {Original Value} = "%AllUsersProfile%\qbothome\_qbotinj.exe"
        "%AllUsersProfile%\qbothome\_qbot.dll" /c {Original Data}

Other variants could create the following registry entry instead:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Runonce

Some variants may also register themselves as a service with the service name "_qbotinj" and display name "Windows DNS client".

Once the file is installed on a compromised machine, it will be owned by a domain admin account. Once the domain admin account is compromised the malware binary infects all other machines in the network by “Network Shares”. In most cases, the compromised machine will have the “admin$” and “C$” network shares on all the workstations and a compromised domain admin account.

Note : [‘$’ stands for network sharing]

By default, windows stores a local password hash for every cached login. Once a domain admin account is compromised, one has to assume that ALL passwords are now known for the entire network to the attacker. This worm also monitors keystrokes, which is easier than reversing the hashes to know the password of the compromised user to the attacker. 

The malware attempts to connect to the following site to receive command instructions from an attacker:

• cdcdcdcdc2121cdsfdfd.com

The instructions received could include any of the following actions:

•   Get malware install time
•   Get malware version
•   Get Current/Program Files/Windows directory
•   Get IP Address and host name
•   Get System Information
•   Log keystrokes
•   Steal cookies and certificates
•   Monitor Favorites and visited URLs
•   Steal passwords from Internet Explorer, MSN Messenger, and Outlook
•   Steal Autocomplete information
•   Download/Upload other files
•   Terminate/Execute Files
•   Perform FTP commands
•   Perform IRC commands
•   Remove/Update the copy of itself

This malware may connect to a predefined site that has the format below to download other component files or to update the copy of itself:

• hxxp://[Site]/cgi-bin/jl/jloader.pl?loadfile=q
• hxxp://[Site]/cgi-bin/jl/jloader.pl?loadfile=3d
• hxxp://[Site]/cgi-bin/exhandler3.pl
• hxxp://[Site]/cgi-bin/clientinfo3.pl
• hxxp://[Site]/cgi-bin/jl/jloader.pl?u=u/updates98.cb
• hxxp://[Site]/cgi-bin/jl/jloader.pl?u=u/updates1.cb
• hxxp://[Site]/cgi-bin/jl/jloader.pl?u=u/updates_%s.cb

The updates may be requested as password protected ZIP archives with password "Hello999W0rld777".

The malware could also download other configuration files with filenames such as the following:

• crontab.cb
• updates.cb
• updates1.cb
• updates<RANDOM>_new.cb
•  _qbot.cb

Symptoms

• Presence of aforementioned files and registry entries.
• Presence of unexpected network connections.

Method of Infection

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

When executed, this malware drops a copy of itself or other malicious files in the following locations:

• %AllUsersProfile%\qbothome\_qbotinj.exe
• %AllUsersProfile%\qbothome\_qbotnti.exe
• %AllUsersProfile%\qbothome\_qbot.dll
• %Userprofile%\Start Menu\Programs\Startup\startup.bat

Note: %AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).

The malware creates a mutex with one the following names, to ensure that only one copy of the worm runs on the infected machine:

•  ~agbdw28sjhisad3
• ~e5d1417.tmp
•  ~e5d141a.tmp
•  ~e198ac781b.tmp
•  ~e439125sl.tmp
•  ~efd9452.tmp

The malware creates the following registry entry, to ensure its execution at system startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
        {Original Value} = "%AllUsersProfile%\qbothome\_qbotinj.exe"
        "%AllUsersProfile%\qbothome\_qbot.dll" /c {Original Data}

Other variants could create the following registry entry instead:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Runonce

Some variants may also register themselves as a service with the service name "_qbotinj" and display name "Windows DNS client".

Once the file is installed on a compromised machine, it will be owned by a domain admin account. Once the domain admin account is compromised the malware binary infects all other machines in the network by “Network Shares”. In most cases, the compromised machine will have the “admin$” and “C$” network shares on all the workstations and a compromised domain admin account.

Note : [‘$’ stands for network sharing]

By default, windows stores a local password hash for every cached login. Once a domain admin account is compromised, one has to assume that ALL passwords are now known for the entire network to the attacker. This worm also monitors keystrokes, which is easier than reversing the hashes to know the password of the compromised user to the attacker. 

The malware attempts to connect to the following site to receive command instructions from an attacker:

• cdcdcdcdc2121cdsfdfd.com

The instructions received could include any of the following actions:

•   Get malware install time
•   Get malware version
•   Get Current/Program Files/Windows directory
•   Get IP Address and host name
•   Get System Information
•   Log keystrokes
•   Steal cookies and certificates
•   Monitor Favorites and visited URLs
•   Steal passwords from Internet Explorer, MSN Messenger, and Outlook
•   Steal Autocomplete information
•   Download/Upload other files
•   Terminate/Execute Files
•   Perform FTP commands
•   Perform IRC commands
•   Remove/Update the copy of itself

This malware may connect to a predefined site that has the format below to download other component files or to update the copy of itself:

• hxxp://[Site]/cgi-bin/jl/jloader.pl?loadfile=q
• hxxp://[Site]/cgi-bin/jl/jloader.pl?loadfile=3d
• hxxp://[Site]/cgi-bin/exhandler3.pl
• hxxp://[Site]/cgi-bin/clientinfo3.pl
• hxxp://[Site]/cgi-bin/jl/jloader.pl?u=u/updates98.cb
• hxxp://[Site]/cgi-bin/jl/jloader.pl?u=u/updates1.cb
• hxxp://[Site]/cgi-bin/jl/jloader.pl?u=u/updates_%s.cb

The updates may be requested as password protected ZIP archives with password "Hello999W0rld777".

The malware could also download other configuration files with filenames such as the following:

• crontab.cb
• updates.cb
• updates1.cb
• updates<RANDOM>_new.cb
•  _qbot.cb

Symptoms

Symptoms -

• Presence of aforementioned files and registry entries.
• Presence of unexpected network connections.

Method of Infection

Method of Infection -

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A