Microsoft security software detects and removes this threat.
This malware family can give a malicious hacker access and control of your PC. They can then steal your sensitive information.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Be careful when sharing files

Windows has a feature that lets you share files and folders on a network or shared PC. This feature is sometimes abused by malware to spread to other PCs within the network.

You can get more information and tips on how to share files safely from these pages:

You should turn off file sharing until you make sure that all infected PCs have been cleaned of any malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Qakbot is a multi-component family of malware that allows unauthorized access and control of an affected computer. By allowing remote access, this backdoor trojan can perform several actions including stealing sensitive information. Some variants of this malware may attempt to spread to open shares across a network, including the default shares C$ and Admin$.
Win32/Qakbot can infect a computer through a number of exploit-based attacks or by being downloaded and installed by other malware. In the wild, we have observed Qin32/Qakbot being hosted on a number of malicious web sites that attempt to exploit vulnerabilities in Adobe flash.
We have observed the following hosts being used to install Win32/Qakbot:
Using these hosts, Qakbot downloads an installer which then downloads more components. The installer downloads an archive package, which is decrypted and installed by the installer.\
Older variants of Qakbot used the following file names for their components:
  • msadvapi32.dll
  • _qbot.cb
  • _qbotinj.exe
  • _qbot.dll
  • _qbotnti.exe
  • seclog.txt
  • si.txt
  • ps_dump
  • qa.bin
More recent variants alias these files to randomly generated file names, for example:
  • msadvapi32.dll=voxivm94cw.dll
  • _qbot.cb=voxivm9.dll
  • _qbotinj.exe=voxivm94.exe
  • _qbot.dll=voxivm94.dll
  • _qbotnti.exe=voxivm94lx.exe
  • seclog.txt=voxivm.dll
  • si.txt=ibggih
  • ps_dump=yamy
  • qa.bin=axnrkeg
  • nbs=ziqotf
These randomly generated file names differ on each machine on which the malware is installed. The file names are built around a randomized root, with additional randomized characters based on information stolen from the affected PC.
Once installed, Qakbot replaces existing registry data found in subkey "HKLM\Microsoft\Windows\CurrentVersion\Run" so that the malware runs at each Windows start. The malware prepends itself to a previously existing entry.
Spreads via…
Network shares
Win32/Qakbot might try to spread to open shares across a network, including the default shares C$ and Admin$.
Allows backdoor access and control
Win32/Qakbot may connect to a remote server in order to receive commands from a remote attacker. Commands could include any of the following actions:
  • Log keystrokes
  • Get the host's IP address and name
  • Steal cookies and certificates
  • Monitor Favorites and visited URLs
  • Steal passwords from Internet Explorer, MSN Messenger, and Outlook
  • Steal Autocomplete information
  • Download and install updates
  • Upload stolen data to an FTP server
Performs stealth
Recent variants of Win32/Qakbot employ a rootkit that hooks various APIs and hides the Qakbot installation directory and files, as well as the registry entry that loads the malware.
Additional information

Download the Qakbot family threat report for more information.

Analysis by Dan Kurc


Alerts from your security software may be the only symptom.


Alert level: Low
This entry was first published on: Dec 09, 2010
This entry was updated on: Nov 26, 2014

This threat is also detected as:
  • Trojan.Win32.Bzud (Kaspersky)
  • Trojan-PSW.Win32.Qbot (Kaspersky)
  • W32/Pinkslipbot (McAfee)
  • Bck/QBot (Panda)
  • Mal/Qbot (Sophos)
  • W32.Qakbot (Symantec)
  • TSPY_QAKBOT (Trend Micro)
  • Backdoor.Qakbot (VirusBuster)