Follow:

 

Backdoor:Win32/Qakbot.gen!C


Backdoor:Win32/Qakbot.gen!C is a trojan backdoor that connects to a remote server, allowing an attacker to access your computer. It can steal confidential information, such as your online banking details and email user names and passwords.

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

This threat tries to steal sensitive and confidential information from affected users to perpetrate fraud. If you believe that your personal financial information may have been compromised, please refer to the following advisory for additional advice:

It may also steal your information by recording your user names and passwords. After removal of the threat you should change your passwords. Please refer to the following advisory for tips on how to create and use passwords:

Please also refer to the following advisory for additional advice:



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

This threat tries to steal sensitive and confidential information from affected users to perpetrate fraud. If you believe that your personal financial information may have been compromised, please refer to the following advisory for additional advice:

It may also steal your information by recording your user names and passwords. After removal of the threat you should change your passwords. Please refer to the following advisory for tips on how to create and use passwords:

Please also refer to the following advisory for additional advice:

Threat behavior

Installation

Backdoor:Win32/Qakbot.gen!C usually has a random file name. It runs automatically every time Windows starts by adding a Run entry in the system registry and by creating a service. The service has the following details:

In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>
Sets value: "ServiceName"
With data: "<random service name>"
Sets value: "DisplayName"
With data: "Remote Procedure Call (RPC) Service"
Sets value: "ServiceType"
With data: "SERVICE_WIN32_OWN_PROCESS"

This trojan might also make a shortcut file in your Startup folder that links back to it.

Spreads via...

Removable drives

This trojan might spread to other computers via removable and shared drives. It spreads a copy of itself that also has a random file name.

Payload

Allows backdoor access and control

This trojan tries to contact the following servers to receive commands from a remote attacker:

  • comenitkrich.net
  • gloveacarusled.org
  • olaum.kiev.ua
  • tebrizmausj.org
  • xuvmtbnz.net
  • zemaucn.org
  • zoas.kiev.ua

Once connected, a remote attacker can command the trojan to do specific actions, like download other files.

Steals information

This trojan contains a DLL file, which it extracts, decrypts, and injects into different processes, such as "explorer.exe", "svchost.exe", and others. The DLL file is stored in %windir%.

This DLL file can do the following:

  • Collect information about your computer
  • Download and run other files
  • Detect what antivirus program you have on your computer
  • Detect whether it is running in a virtual machine
  • Log keystrokes
  • Steal email user names and passwords
  • Steal cookies and certificates
  • Steal online bank account details from the following websites:
    • access.jpmorgan.com
    • accessonline.abnamro.com
    • business-eb.ibanking-services.com
    • businessaccess.citibank.citigroup.com
    • businessbankingcenter.synovus.com
    • businessinternetbanking.synovus.com
    • businessonline.huntington.com
    • businessonline.tdbank.com
    • cashproonline.bankofamerica.com
    • cbs.firstcitizensonline.com
    • chsec.wellsfargo.com
    • commercial.wachovia.com
    • commercial.bnc.ca
    • cpw-achweb.bankofamerica.com
    • ctm.53.com
    • directpay.wellsfargo.com
    • e-moneyger.com
    • each.bremer.com
    • ebanking-services.com
    • express.53.com
    • firstmeritib.com
    • goldleafach.com
    • ibc.klikbca.com
    • iris.sovereignbank.com
    • itreasury.regions.com
    • ktt.key.com
    • moneymanagergps.com
    • netconnect.bokf.com
    • otm.suntrust.com
    • paylinks.cunet.org
    • premierview.membersunited.org
    • securentrycorp.amegybank.com
    • scotiaconnect.scotiabank.com
    • singlepoint.usbank.com
    • treas-mgt.frostbank.com
    • treasury.pncbank.com
    • tssportal.jpmorgan.com
    • web-cashplus.com
    • webexpress.tdbank.com

It can then send the collected information back to a remote server via HTTP or FTP.

Additional information

This trojan connects back to the server in "188.120.239.145" via port 8080 to report its status on your computer.

It might also download and install an Apache server in your computer, likely to turn your computer into an HTTP server.

Analysis by Steven Zhou


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modification:

    In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>
    Sets value: "ServiceName"
    With data: "<random service name>"
    Sets value: "DisplayName"
    With data: "Remote Procedure Call (RPC) Service"
    Sets value: "ServiceType"
    With data: "SERVICE_WIN32_OWN_PROCESS"


Prevention


Alert level: Severe
First detected by definition: 1.111.1771.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Sep 08, 2011
This entry was first published on: Mar 29, 2013
This entry was updated on: May 08, 2013

This threat is also detected as:
  • Trojan/Win32.Pincav (AhnLab)
  • Trojan.Win32.Pincav.cmuh (Kaspersky)
  • W32/Pincav.AQT (Norman)
  • TR/Rogue.KD.915653 (Avira)
  • Trojan.Win32.Pincav (Ikarus)
  • RDN/Akbot!a (McAfee)
  • Troj/Qakbot-AL (Sophos)
  • W32.Qakbot (Symantec)
  • TROJ_SPNR.14D113 (Trend Micro)