Backdoor:Win32/Qakbot.gen!C usually has a random file name. It runs automatically every time Windows starts by adding a Run entry in the system registry and by creating a service. The service has the following details:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>
Sets value: "ServiceName"
With data: "<random service name>"
Sets value: "DisplayName"
With data: "Remote Procedure Call (RPC) Service"
Sets value: "ServiceType"
With data: "SERVICE_WIN32_OWN_PROCESS"
This trojan might also make a shortcut file in your Startup folder that links back to it.
This trojan might spread to other computers via removable and shared drives. It spreads a copy of itself that also has a random file name.
Allows backdoor access and control
This trojan tries to contact the following servers to receive commands from a remote attacker:
Once connected, a remote attacker can command the trojan to do specific actions, like download other files.
This trojan contains a DLL file, which it extracts, decrypts, and injects into different processes, such as "explorer.exe", "svchost.exe", and others. The DLL file is stored in %windir%.
This DLL file can do the following:
- Collect information about your computer
- Download and run other files
- Detect what antivirus program you have on your computer
- Detect whether it is running in a virtual machine
- Log keystrokes
- Steal email user names and passwords
- Steal cookies and certificates
- Steal online bank account details from the following websites:
It can then send the collected information back to a remote server via HTTP or FTP.
This trojan connects back to the server in "22.214.171.124" via port 8080 to report its status on your computer.
It might also download and install an Apache server in your computer, likely to turn your computer into an HTTP server.
Analysis by Steven Zhou