Virus Characteristics
This is Trojan detection for a Bredolab variant.
When executed, this malware drops the following files:
- %UserDirectory%\qbothome\_qbotinj.exe
- %UserDirectory%\qbothome\_qbotnti.exe
- %UserDirectory%\qbothome\_qbot.dll
- %UserDirectory%\Start Menu\Programs\Startup\startup.bat
- %Root%\Tasks\*.job
(Where %UserDirectory% is the name of a user's home directory and %Root% is the root directory such as C:\)
Once the file is installed on a compromised machine, it will be owned by a domain admin account. Once the domain admin account is compromised the malware binary infects all other machines in the network by “Network Shares”. In most cases, the compromised machine will have the “admin$” and “C$” network shares on all the workstations and a compromised domain admin account.
Note : [‘$’ stands for network sharing]
By default, windows stores a local password hash for every cached login. Once a domain admin account is compromised, one has to assume that ALL passwords are now known for the entire network to the attacker. This worm also monitors keystrokes, which is easier than reversing the hashes to know the password of the compromised user to the attacker.
The malware may also attempt to download the following files:
- q2l.exe
- iedw.exe
- si.txt
- seclog.txt
- _qbotnti.exe
- _qbotinj.exe
- nbl.txt
- removeme.txt
- irclog.txt
The following registry entry is created to allow itself to run at startup:
- Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
{Original Value} = "%UserDirectory%\qbothome\_qbotinj.exe"
"%UserDirectory%\qbothome\_qbot.dll" /c {Original Data}
Connections may be made with the following domains:
- hxxp://www.cdcdcdcdc2121cdsfdfd.com
- hxxp://nt202.cn
- hxxp://nt010.cn
- hxxp://nt002.cn
- hxxp://up002.cn
- hxxp://adserv.co.in
- hxxp://zurnretail.com/cgi-bin/clientinfo3.pl
- hxxp://hostrmeter.com
- hxxp://hotbar.com