Home / malwarePDF  

Backdoor:Win32/Qakbot.gen!C


First posted on 09 May 2013.
Source: Microsoft

Aliases :

Backdoor:Win32/Qakbot.gen!C is also known as Trojan/Win32.Pincav (AhnLab), Trojan.Win32.Pincav.cmuh (Kaspersky), W32/Pincav.AQT (Norman), TR/Rogue.KD.915653 (Avira), Trojan.Win32.Pincav (Ikarus), RDN/Akbot!a (McAfee), Troj/Qakbot-AL (Sophos), W32.Qakbot (Symantec), TROJ_SPNR.14D113 (Trend Micro).

Explanation :



Installation

Backdoor:Win32/Qakbot.gen!C usually has a random file name. It runs automatically every time Windows starts by adding a Run entry in the system registry and by creating a service. The service has the following details:

In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>
Sets value: "ServiceName"
With data: "<random service name>"
Sets value: "DisplayName"
With data: "Remote Procedure Call (RPC) Service"
Sets value: "ServiceType"
With data: "SERVICE_WIN32_OWN_PROCESS"

This trojan might also make a shortcut file in your Startup folder that links back to it.

Spreads via...

Removable drives

This trojan might spread to other computers via removable and shared drives. It spreads a copy of itself that also has a random file name.



Payload

Allows backdoor access and control

This trojan tries to contact the following servers to receive commands from a remote attacker:

  • comenitkrich.net
  • gloveacarusled.org
  • olaum.kiev.ua
  • tebrizmausj.org
  • xuvmtbnz.net
  • zemaucn.org
  • zoas.kiev.ua


Once connected, a remote attacker can command the trojan to do specific actions, like download other files.

Steals information

This trojan contains a DLL file, which it extracts, decrypts, and injects into different processes, such as "explorer.exe", "svchost.exe", and others. The DLL file is stored in %windir%.

This DLL file can do the following:

  • Collect information about your computer
  • Download and run other files
  • Detect what antivirus program you have on your computer
  • Detect whether it is running in a virtual machine
  • Log keystrokes
  • Steal email user names and passwords
  • Steal cookies and certificates
  • Steal online bank account details from the following websites:
    • access.jpmorgan.com
    • accessonline.abnamro.com
    • business-eb.ibanking-services.com
    • businessaccess.citibank.citigroup.com
    • businessbankingcenter.synovus.com
    • businessinternetbanking.synovus.com
    • businessonline.huntington.com
    • businessonline.tdbank.com
    • cashproonline.bankofamerica.com
    • cbs.firstcitizensonline.com
    • chsec.wellsfargo.com
    • commercial.wachovia.com
    • commercial.bnc.ca
    • cpw-achweb.bankofamerica.com
    • ctm.53.com
    • directpay.wellsfargo.com
    • e-moneyger.com
    • each.bremer.com
    • ebanking-services.com
    • express.53.com
    • firstmeritib.com
    • goldleafach.com
    • ibc.klikbca.com
    • iris.sovereignbank.com
    • itreasury.regions.com
    • ktt.key.com
    • moneymanagergps.com
    • netconnect.bokf.com
    • otm.suntrust.com
    • paylinks.cunet.org
    • premierview.membersunited.org
    • securentrycorp.amegybank.com
    • scotiaconnect.scotiabank.com
    • singlepoint.usbank.com
    • treas-mgt.frostbank.com
    • treasury.pncbank.com
    • tssportal.jpmorgan.com
    • web-cashplus.com
    • webexpress.tdbank.com


It can then send the collected information back to a remote server via HTTP or FTP.

Additional information

This trojan connects back to the server in "188.120.239.145" via port 8080 to report its status on your computer.

It might also download and install an Apache server in your computer, likely to turn your computer into an HTTP server.



Analysis by Steven Zhou

Last update 09 May 2013

 

TOP