Follow:

 

Backdoor:Win32/Qakbot.gen!A


Backdoor:Win32/Qakbot.gen!A is a generic detection for a trojan backdoor that connects to a remote server, allowing an attacker to access the infected system. By allowing remote access, this backdoor trojan can perform several actions including stealing information and logging user keystrokes. Some variants of this malware may attempt to spread to open shares across a network, including the default shares C$ and Admin$.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
 
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL machines connected to the network that can access or host shares  (see above for further detail).
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Threat behavior

Backdoor:Win32/Qakbot.gen!A is a generic detection for a trojan backdoor that connects to a remote server, allowing an attacker to access the infected system. By allowing remote access, this backdoor trojan can perform several actions including stealing information and logging user keystrokes. Some variants of this malware may attempt to spread to open shares across a network, including the default shares C$ and Admin$.
Installation
Backdoor:Win32/Qakbot.gen!A may be downloaded and installed by other malware. It may be hosted on a number of malicious domains as the following file:
 
<site>/cgi-bin/jl/jloader.pl?u=u/_qbotinj.exe
 
where <site> is the malicious domain.
 
Upon execution, it creates the mutex '_qbot.*' to ensure that only one instance of itself is currently running. Backdoor:Win32/Qakbot.gen!A creates the following files, which are all detected as Backdoor:Win32/Qakbot.gen!A:
  • %ALLUSERSPROFILE%\qbothome\qbotinj.exe
  • %ALLUSERSPROFILE%\qbothome\qbotnti.exe
  • %ALLUSERSPROFILE%\qbothome\qbot.dll
  • %ALLUSERSPROFILE%\qbothome\q1.<number>
 
The registry is commonly modified to execute one of the backdoor components at each Windows start, for example:
 
Modifies value: "<program name>"
With data: ""%ALLUSERSPROFILE%\qbothome\qbotinj.exe" "%ALLUSERSPROFILE%\qbothome\qbot.dll" /c "<program data>""
To subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
 
where <program name> is the name of a legitimate program and <program data> is the legitimate data for that particular program in the registry. The malware creates a batch script pointing to the installed copy of Win32/Qakbot as the following:
 
%USERPROFILE%\Start Menu\Programs\Startup\startup.bat.
 
When Windows starts, the file 'startup.bat' executes Win32/Qakbot.
Payload
Performs backdoor functionality
Backdoor:Win32/Qakbot.gen!A attempts to connect to a remote server to receive command instructions from an attacker. Commands could include any of the following actions:
  • Log keystrokes
  • Get the host's IP address and name
  • Steal cookies and certificates
  • Monitor Favorites and visited URLs
  • Steal passwords from Internet Explorer, MSN Messenger, and Outlook
  • Steal Autocomplete information
 
Some of the observed domains this backdoor connects to are 'w1.webinspector.biz' and 'cdcdcdcdc2121cdsfdfd.com'.
 
Downloads Malware
Win32/Qakbot attempts to download additional files or updates from predefined remote servers. Updates may be requested as password protected ZIP archives. In the wild, this trojan was observed to request an update as "qa.zip" from a malicious site. The malware also downloads configuration files with filenames such as the following:
 
crontab.cb
updates.cb
updates1.cb
updates<random>_new.cb
_qbot.cb
 
Analysis by Huzefa Mogri

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %ALLUSERSPROFILE%\qbothome\qbotinj.exe
    %ALLUSERSPROFILE%\qbothome\qbotnti.exe
    %ALLUSERSPROFILE%\qbothome\qbot.dll
  • The presence of the following registry modification:
    Modified value: "<program name>"
    With data: ""%ALLUSERSPROFILE%\qbothome\qbotinj.exe" "%ALLUSERSPROFILE%\qbothome\qbot.dll" /c "<program data>""
    To subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
    where <program name> is the name of a legitimate program and <program data> is the legitimate data for that particular program in the registry.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: May 21, 2009
This entry was updated on: May 14, 2010

This threat is also detected as:
  • TrojanSpy:Win32/Botinok (other)
  • Trojan.Spy.Shoe.B (BitDefender)
  • Win32/Qakbot!generic (CA)
  • Trojan-Spy.Win32.Botinok.a (Kaspersky)
  • W32/Pinkslipbot (McAfee)
  • Mal/Qbot-B (Sophos)
  • W32.Qakbot (Symantec)
  • Backdoor.QBot.F (VirusBuster)
  • Backdoor:Win32/Qbot.A (other)