Home / malwarePDF  

TrojanDownloader:Win32/QBundle


First posted on 05 April 2013.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/QBundle.

Explanation :



Win32/Qbundle consists of three main components; the trojan component, that installs various components; the backdoor component that connects to a remote server and allows backdoor access and control of your computer; the downloader component that downloads arbitrary files to your computer.



Installation

Win32/Qbundle may be bundled with legitimate software, or may masquerade as a downloader for legitimate software, such as the Chinese media player Qvod.

Certain variants of Qbundle may drop a copy of itself as the following files:

  • %CommonProgramFiles%\rpqsptprdesk.ini
  • %CommonProgramFiles%\Tencent\AMGR8888.DLL - detected as Trojan:Win32/Qvod, this file manages the autostart registry and terminates security-related processes
  • %CommonProgramFiles%\Tencent\csboybind.au
  • %CommonProgramFiles%\Tencent\csboyDVD.dll - this downloads the legitimate Qvod player
  • %CommonProgramFiles%\Tencent\csboyTT.dll
  • %CommonProgramFiles%\Tencent\svchest.exe
  • <startup folder>\winlogon.exe


Certain variants make the following changes to the registry, to ensure that it will run each time you start Windows:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: rundll32
With data: "rundll32.exe %appdata\2WB.tmp,RunServer"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: ttplay
With data: "%ProgramFiles%\Common Files\Tencent\svchest.exe"

The trojan adds itself as a service by making the following changes to the registry, to ensure it runs each time you start your computer:

In subkey: HKLM\SYSTEM\CurrentControlSet\services\diskimage
Sets value: "ImagePath"
With data: "%ProgramFiles%\Common Files\Tencent\AMGR8888.dll"

Qbundle creates the following registry entires under the following key in which to store configuration information:

HKCU\SOFTWARE\Intel2011
Sets value: dll
With data: "%appdata\2WB.tmp"
Sets value: server
With data: "212.20.50.56"
Sets value: port
With data: "443"
Sets value: botid
With data: "ACC0-E9DE"
Sets value: botowner
With data: "amin111"

Some variants will create a log file in which to store information about information about its infection routine.

%APPDATA%\vd_rundll32.exe{random number}.txt



Payload

Allows backdoor access and control

Win32/Qbundle attempts to connect to a server at 212.20.50.56 via port 443 join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:

  • Download and execute arbitrary files
  • Upload files
  • Spread to other computers using various methods of propagation
  • Log keystrokes or steal sensitive data
  • Modify system settings
  • Run or terminate applications
  • Delete files


Downloads and drops files

When it runs, the downloader component Win32/Qbundle attempts to download the file "swindll.dll" to your computer.

Some variants attempt to connect to the following servers in order to download files; these files are often detected as password stealers:

  • bakg.jbjbmg002.info:969/auauau/
  • bakmg.mamamg002.info:969/auauau/
  • bakmg.nnnnmg002.info:969/auauau/
  • emxy.mamagm04.com:999/auauau/
  • emxy.nnbakgm04.com:999/auauau/
  • tg.jb673tg.info:583/bakgdgame/
  • ttyx.ma673tg.info:583/bakgdgame/
  • ttyx.nn673tg.info:583/bakgdgame/
  • txi.dx673tg.info:583/bakgdgame/
  • xx.jbmg911h11.info:777/auauau/
  • xx.maaqmg911h11.info:777/auauau/
  • xx.nnvamg911h11.info:777/auauau/
  • y0.maaqmg711g11.info:666/auauau/
  • y00.jbmg711g11.info:666/auauau/
  • yxyx.jbgan4.com:999/auauau/


Note: The servers from which it downloads these files are no longer available.

The malware will also download a legitimate copy of Qvod in an effort to trick you into thinking it is a legitimate tool.

Stops security-related processes

Some variants of Qbundle stop the following antivirus-related processes from running:

  • avp.exe
  • KVSrvXP.exe
  • RavMond.exe
Additional information

Win32/Qbundle creates a mutex to ensure that only one instance of the trojan runs on your computer at any given time.



Analysis by Alden Pornasdoro

Last update 05 April 2013

 

TOP

Malware :