Internet threat level: 1
Home→Descriptions→Trojan-PSW.Win32.Qbot.dkg
Trojan-PSW.Win32.Qbot.dkg
| Detected | May 11 2011 14:13 GMT |
| Released | May 11 2011 19:48 GMT |
Summary
- Trojan-Banker. Steals confidential information from banks, financial institutions and payment systems
Technical details
File size of 300704 bytes.
Installation
Makes copies of itself with the following names once launched:
- Directory of users' settings%Documents and Settings%\all users\application data\microsoft\aoekqg60z\aoekqg60z.exe
Creates the following files on an infected computer:
- Directory of users' settings%Documents and Settings%\all users\application data\microsoft\aoekqg60z\aoekqg60z.dll (Kaspersky Anti-Virus detects as Trojan-Spy.Win32.Banker.qpl)
- Directory of users' settings%Documents and Settings%\all users\application data\microsoft\aoekqg60z\aoekqg60.dll
Malicious activity
Steals confidential user information from
A malicious program designed to steal user information related to banking and electronic payment systems and bank cards. The information is sent to a cybercriminal via email, ftp, the web or other methods.
Read more details here: http://www.viruslist.com/en/analysis?pubid=204792037the following banks, financial institutions, payment systems:
- SunTrust Bank
- Wells Fargo Bank
- Bank Of America
- Key Bank
- PNC Bank
- Fifth Third Bank
- Regions Financial Corporation
- U.S. Bank
- Citibank
- Huntington National Bank
- Chase Manhattan Bank
- Wachovia
- Frost Bank
Injects its code into the following processes:
- explorer.exe
Creates unique identifiers to flag its presence in the system
- <file of source program >a User name%USERNAME%
- aoekqg60
- aoekqg60z
- User name%USERNAME%_vararray
- kladru.dll_gl
Other activities
Runs the following files (commands):
- \" Directory of users' settings%Documents and Settings%\all users\application data\microsoft\aoekqg60z\aoekqg60z.exe\"
- Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Internet Explorer\iexplore.exe
Modifies the system registry keys:
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "Adobe Reader Speed Launcher" = "" Directory of users' settings%Documents and Settings%\all users\application data\microsoft\aoekqg60z\aoekqg60z.exe" /c " Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\adobe\reader 9.0\reader\reader_sl.exe""
Description:
Used to automatically run files when the Windows OS boots
[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "asbea" = "" Directory of users' settings%Documents and Settings%\all users\application data\microsoft\aoekqg60z\aoekqg60z.exe""
Deletes the following files on an infected computer:
- <path to source program><file of source program >
Trojan-PSW programs are designed to steal user account information such as logins and passwords from infected computers. PSW is an acronym of Password Stealing Ware.
When launched, a PSW Trojan searches system files which store a range of confidential data or the registry. If such data is found, the Trojan sends it to its “master.” Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Some such Trojans also steal registration information for certain software programs.
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.