Home / malware TrojanDownloader:Win32/QBundle
First posted on 05 April 2013.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/QBundle.
Explanation :
Win32/Qbundle consists of three main components; the trojan component, that installs various components; the backdoor component that connects to a remote server and allows backdoor access and control of your computer; the downloader component that downloads arbitrary files to your computer.
Installation
Win32/Qbundle may be bundled with legitimate software, or may masquerade as a downloader for legitimate software, such as the Chinese media player Qvod.
Certain variants of Qbundle may drop a copy of itself as the following files:
- %CommonProgramFiles%\rpqsptprdesk.ini
- %CommonProgramFiles%\Tencent\AMGR8888.DLL - detected as Trojan:Win32/Qvod, this file manages the autostart registry and terminates security-related processes
- %CommonProgramFiles%\Tencent\csboybind.au
- %CommonProgramFiles%\Tencent\csboyDVD.dll - this downloads the legitimate Qvod player
- %CommonProgramFiles%\Tencent\csboyTT.dll
- %CommonProgramFiles%\Tencent\svchest.exe
- <startup folder>\winlogon.exe
Certain variants make the following changes to the registry, to ensure that it will run each time you start Windows:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: rundll32
With data: "rundll32.exe %appdata\2WB.tmp,RunServer"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: ttplay
With data: "%ProgramFiles%\Common Files\Tencent\svchest.exe"
The trojan adds itself as a service by making the following changes to the registry, to ensure it runs each time you start your computer:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\diskimage
Sets value: "ImagePath"
With data: "%ProgramFiles%\Common Files\Tencent\AMGR8888.dll"
Qbundle creates the following registry entires under the following key in which to store configuration information:
HKCU\SOFTWARE\Intel2011
Sets value: dll
With data: "%appdata\2WB.tmp"
Sets value: server
With data: "212.20.50.56"
Sets value: port
With data: "443"
Sets value: botid
With data: "ACC0-E9DE"
Sets value: botowner
With data: "amin111"
Some variants will create a log file in which to store information about information about its infection routine.
%APPDATA%\vd_rundll32.exe{random number}.txt
Payload
Allows backdoor access and control
Win32/Qbundle attempts to connect to a server at 212.20.50.56 via port 443 join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
Downloads and drops files
When it runs, the downloader component Win32/Qbundle attempts to download the file "swindll.dll" to your computer.
Some variants attempt to connect to the following servers in order to download files; these files are often detected as password stealers:
- bakg.jbjbmg002.info:969/auauau/
- bakmg.mamamg002.info:969/auauau/
- bakmg.nnnnmg002.info:969/auauau/
- emxy.mamagm04.com:999/auauau/
- emxy.nnbakgm04.com:999/auauau/
- tg.jb673tg.info:583/bakgdgame/
- ttyx.ma673tg.info:583/bakgdgame/
- ttyx.nn673tg.info:583/bakgdgame/
- txi.dx673tg.info:583/bakgdgame/
- xx.jbmg911h11.info:777/auauau/
- xx.maaqmg911h11.info:777/auauau/
- xx.nnvamg911h11.info:777/auauau/
- y0.maaqmg711g11.info:666/auauau/
- y00.jbmg711g11.info:666/auauau/
- yxyx.jbgan4.com:999/auauau/
Note: The servers from which it downloads these files are no longer available.
The malware will also download a legitimate copy of Qvod in an effort to trick you into thinking it is a legitimate tool.
Stops security-related processes
Some variants of Qbundle stop the following antivirus-related processes from running:
Additional information
- avp.exe
- KVSrvXP.exe
- RavMond.exe
Win32/Qbundle creates a mutex to ensure that only one instance of the trojan runs on your computer at any given time.
Analysis by Alden Pornasdoro
Last update 05 April 2013