Backdoor:Win32/Qakbot.gen!A is a generic detection for a trojan backdoor that connects to a remote server, allowing an attacker to access the infected system. By allowing remote access, this backdoor trojan can perform several actions including stealing information and logging user keystrokes. Some variants of this malware may attempt to spread to open shares across a network, including the default shares C$ and Admin$.
Backdoor:Win32/Qakbot.gen!A may be downloaded and installed by other malware. It may be hosted on a number of malicious domains as the following file:
where <site> is the malicious domain.
Upon execution, it creates the mutex '_qbot.*' to ensure that only one instance of itself is currently running. Backdoor:Win32/Qakbot.gen!A creates the following files, which are all detected as Backdoor:Win32/Qakbot.gen!A:
The registry is commonly modified to execute one of the backdoor components at each Windows start, for example:
Modifies value: "<program name>"
With data: ""%ALLUSERSPROFILE%\qbothome\qbotinj.exe" "%ALLUSERSPROFILE%\qbothome\qbot.dll" /c "<program data>""
To subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
where <program name> is the name of a legitimate program and <program data> is the legitimate data for that particular program in the registry. The malware creates a batch script pointing to the installed copy of Win32/Qakbot as the following:
When Windows starts, the file 'startup.bat' executes Win32/Qakbot.
Performs backdoor functionality
Backdoor:Win32/Qakbot.gen!A attempts to connect to a remote server to receive command instructions from an attacker. Commands could include any of the following actions:
- Log keystrokes
- Get the host's IP address and name
- Steal cookies and certificates
- Monitor Favorites and visited URLs
- Steal passwords from Internet Explorer, MSN Messenger, and Outlook
- Steal Autocomplete information
Some of the observed domains this backdoor connects to are 'w1.webinspector.biz' and 'cdcdcdcdc2121cdsfdfd.com'.
Win32/Qakbot attempts to download additional files or updates from predefined remote servers. Updates may be requested as password protected ZIP archives. In the wild, this trojan was observed to request an update as "qa.zip" from a malicious site. The malware also downloads configuration files with filenames such as the following:
Analysis by Huzefa Mogri