Trojan-PSW.Win32.Qbot.byy

Technical Details
Payload
Removal instructions

Technical Details

This malicious program provides a malicious user with remote access to the victim machine. It is a Windows application (PE EXE file). It is 249 344 bytes in size. It is packed using UPX. The unpacked file is approximately 279 KB in size. It is written in C++.

Installation

Once launched, the backdoor copies its body to the file:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe

where <rnd_1> is a random name (for example: "uiouy").

To launch the created copy automatically each time the system is started, the backdoor writes the path to its copy into one of the system registry keys, which it finds in the branch:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

For example:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
<application name> = ""%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe" /c <previous parameter value>"

It also creates the key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd_2>" = "%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe"

where <rnd_2> is a random name (for example: "jladjtrq").

If the backdoor fails to create the keys in the above-mentioned branch, the actions described will be executed in the following branches:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]

Payload

Once launched, the backdoor performs the following actions:

• To ensure that its process is unique within the system, it creates a unique identifier:

  <name of executable file of backdoor>a<user name>

• It collects the following information about the system: - username;
  - computer name;
  - serial number of the system volume;
  - the system registry key value:
  

  [HKLM\Software\Microsoft\Windows NT\CurrentVersion] 
  "ProductId"
  

  - the list of software installed on the infected machine. For this it reads the values of the "ProductName" parameter of keys in the system registry branch:
  

  [HKCR\Installer\Products]

  The harvested information can be later sent to the malicious user's server.
• It terminates services and processes launched in the system that contain the following substrings in their names:

  webroot.
  agnitum
  ahnlab
  arcabit
  avast
  avg
  avira
  avp
  bitdefender
  bit9
  castlecops
  centralcommand
  clamav
  comodo
  computerassociates
  cpsecure
  defender
  drweb
  emsisoft
  esafe
  .eset
  etrust
  ewido
  fortinet
  f-prot
  f-secure
  gdata
  grisoft
  hacksoft
  hauri
  ikarus
  jotti
  k7computing
  kaspersky
  malware
  mcafee
  networkassociates
  nod32
  norman
  norton
  panda
  pctools
  prevx
  quickheal
  rising
  rootkit
  securecomputing
  sophos
  spamhaus
  spyware
  sunbelt
  symantec
  threatexpert
  trendmicro
  virus
  wilderssecurity
  windowsupdate
  

• It terminates the processes:

  msdev.exe
  dbgview.exe
  mirc.exe
  ollydbg.exe
  ctfmon.exe
  

• It extracts files from its body and saves them in the system under the following names:

  %ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll (135 216 bytes; it is detected by Kaspersky Anti-Virus as "Trojan-PSW.Win32.Qbot.byx")
  
  %ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll
  

  where <rnd_3> is the first 4 symbols of the name <rnd_1>. The file "<rnd_3>.dll" contains encrypted information for configuring the malware's subsequent operations. The analyzed sample file contained the following strings:

  # Line begining with '#' is a comment
  # '#' - not in the begining - is not a comment!!!
  # irc_servers=master.madway.net
  
  irc_ssl_server_port=16668
  irc_pass=Zrmausakl1829997
  p2p_node_lst=http://bckp01.in/cgi-bin/ls1.pl
  ftphost_1=77.221.134.75:agamain:qu5end8k:/.cpanel
  ftphost_2=ftp.acm***mation.com:logs@acm***mation.com:zubri51241:
  ftphost_3=ftp.hunt***entral.com:testuser@hunt***entral.com:kolbasa25:
  ftphost_4=s046.pan***xmanager.com:equipem1:4Y2V64b0dy67:/.last
  update_conf_ver=861
  

  When running, the malware writes the generated data to the configuration file as well as certain information it harvests. For example:

  alias__qbot.cb=uiou.dll
  alias__qbotinj.exe=uiouy.exe
  alias__qbot.dll=uiouy.dll
  alias_seclog.txt=uio.dll
  alias_si.txt=larvsox
  alias_ps_dump=oejtuy12n
  alias_qa.bin==wcod
  home_dir=c:\\documents and settings\\all users\\application data\\microsoft\\uiouy
  irc_my_nick=vwnfjq298080
  install_time=20.46.28-9/04/2011
  

  This file is encrypted and sent to the malicious user's server.
• It calls the "kIlsasgcbag0a" function from the previously extracted "<rnd_1>.dll" library. A hook procedure is then implemented, enabling the malware to track messages in the system queue. This enables the malware to hide its working directory, as well as to track user activity on the infected machine (keystrokes, files called, network traffic, etc). The backdoor writes the information it collects to the following file:

  %ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_4>.dll
  

  where <rnd_4> is the first 3 symbols of the name <rnd_1>. Below is a sample of the log created by the malware when the user logs into the website "vk.com".

  t=kb time=[23:49:55-9/4/2011] p=[Explorer.EXE] b=[iexplore]
  t=kb time=[23:50:7-9/4/2011] p=[iexplore.exe] b=[vk]
  t=kb time=[23:50:16-9/4/2011] p=[iexplore.exe] b=[http://vk.com]
  t=kb time=[23:50:34-9/4/2011] p=[iexplore.exe] b=[IvanIvanov@mail.ru]
  t=kb time=[23:50:41-9/4/2011] p=[iexplore.exe] b=[MyPassword]
  t=u1 time=[23:50:42-9/4/2011] ua=[Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)]
  t=h1 time=[23:50:42-9/4/2011] url=[http://login.vk.com/?act=login] data=[act=login&q=1&al_frame=1&expire=&captcha_sid=&captcha_key=&from_host=vk.com&email=IvanIvanov@mail.ru&pass=MyPassword] referer=[http://vk.com] cookie=[remixlang=0; remixchk=5]
  

  The backdoor can send this log to the malicious user's server. The backdoor can use the extracted library to steal confidential user information for the following online banking resources:

  cashproonline.bankofamerica.com
  singlepoint.usbank.com
  netconnect.bokf.com
  business-eb.ibanking-services.com
  cashproonline.bankofamerica.com
  ebanking-services.com
  web-cashplu's.com
  treas-mgt.frostbank.com
  business-eb.ibanking-services.com
  treasury.pncbank.com
  access.jpmorgan.com
  ktt.key.com
  premierview.membersunited.org
  directline4biz.com
  onb.webcashmgmt.com
  tmconnectweb
  moneymanagergps.com
  ibc.klikbca.com
  directpay.wellsfargo.com
  express.53.com
  itreasury.regions.com
  itreasurypr.regions.com
  cpw-achweb.bankofamerica.com
  businessaccess.citibank.citigroup.com
  businessonline.huntington.com
  

  This library also exports the function called "zupidshc21mnu", which is designed to remove the installed hook.
• It establishes a connection with the servers:

  nt***0.in
  du***1.in
  ads***co.in
  up0***om.ua
  redse***com.ua
  

• Following a command from the malicious user, the backdoor can execute the following actions: - harvest information;
  - send information harvested from the infected machine to the specified server;
  - download files from links sent to it;
  - update its original file;
  - manage processes;
  - manage services;
  - self-destruct.
  
• The functionality executed by this backdoor can be injected into the address space of the following processes:

  explorer.exe
  iexplore.exe
  outlook.exe
  firefox.exe
  opera.exe
  skype.exe
  msnmsgr.exe
  yahoomessenger.exe
  chrome.exe
  

  The malware can be launched with the following parameters: /t – the message WM_QUIT is sent to the "<rnd_1><user name>" window, which is created by the malware. The malware process then terminates. /s – the malware is launched as a Windows service. /i – the following files are extracted:

  %ALLUSERSPROFILE%\Application 
  Data\Microsoft\<rnd_1>\<rnd_1>.dll 
  %ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll
  

The malware then ceases running.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2. Delete the following files:

   %ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe
   %ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>>\<rnd_1>.dll 
   %ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll
   %ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_4>.dll
   

3. Delete the system registry keys created by the Trojan and restore the original system registry key values (What is a system registry and how do I use it?):

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]
   

4. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
5. Empty the Temporary Internet Files folder, which may contain infected files (How to delete infected files from Temporary Internet Files folder?).
6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

   MD5: 78415F430F79382AC9DD377B806C52BE

   SHA1: F6B1D472EAE28CE16A5C3D7DEDE92184CF8E1424