Internet threat level: 2
Home→Descriptions→Trojan-PSW.Win32.Qbot.mk
Trojan-PSW.Win32.Qbot.mk
| Detected | May 27 2010 11:14 GMT |
| Released | May 27 2010 18:10 GMT |
| Published | Jul 02 2010 08:11 GMT |
Payload
Technical Details
This Trojan is designed to steal the user's confidential data, as well as providing a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is approximately 85 kilobytes in size. It is written in C.
Installation
During installation, the malicious program will extract from its body and create the following files:
%allusersprofile%\qbothome\qbotinj.exe %allusersprofile%\qbothome\qbotnti.exe %allusersprofile%\qbothome\alias_qbotnti.exe %allusersprofile%\qbothome\qbot.dll %allusersprofile%\qbothome\msadvapi32.dll %allusersprofile%\qbothome\q1.<rnd>Where "<rnd>" stands for a random sequence of numbers.
Additional files may also be created in the above folder.
In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan modifies the value of an existing autorun key in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]The key value is changed to
""%allusersprofile%\qbothome\Where "<original value>" is the previous value of the key.
qbotinj.exe" "%allusersprofile%\qbothome\qbot.dll" /c "<original value>"
Propagation
The malicious program propagates over the local network by copying its files to the following folders on remote computers:
C$\Windows\q.dll C$\Windows\q1.<rnd> ADMIN$\q.dll ADMIN$\q1.<rnd>
Payload
After launching, the malicious program regularly downloads and analyzes several configuration files from the following addresses:
http://www.cdcdcdcdc2121cdsf***.com/crontab.cb http://www.cdcdcdcdc2121cds**fd.com/updates.cb http://www.cdcdcdcdc2121c**fdfd.com/updates1.cb http://www.cdcdcdcdc**21cdsfdfd.com/_qbot.cb
The malicious program's main function is to intercept the credentials entered in the web forms used to access online banking systems of such banks as:
- Wells Fargo Bank
- Bank Of America
- Key Bank
- PNC Bank
- Fifth Third Bank
- Regions Financial Corporation
In addition, the malicious program is capable of stealing the following information:
- User email accounts and passwords for Microsoft Outlook.
- MSN user ID’s and passwords.
- User credentials for various websites.
- Confidential data stored in Cookies.
- Users’ digital certificates.
The program also uses the configuration file to get the address and channel number for an IRC (Internet Relay Chat) server which the cybercriminal subsequently uses to control the infected computer.
The cybercriminal can use IRC to gain access to the computer’s file system, as well as to install and run other malicious software on the computer. The attacker can also send a command that removes the malicious program from the computer.
The program regularly downloads updates from the following address:
http://nt0***.cn/cgi-bin/jl/jlo**der.plIt also sends the attacker the following data: computer name, IP address, geographic location, operating system version and system time. The data is sent to the following address:
http://boogie****ekid.com/cgi-bin/cli**tinfo3.pl
Trojan-PSW programs are designed to steal user account information such as logins and passwords from infected computers. PSW is an acronym of Password Stealing Ware.
When launched, a PSW Trojan searches system files which store a range of confidential data or the registry. If such data is found, the Trojan sends it to its “master.” Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.
Some such Trojans also steal registration information for certain software programs.
Trojan-PSW.
- Trojan-Downloader.
Win32. Piker. cjs (Kaspersky Lab)
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.