Virus Characteristics
When executed, this malware drops a copy of itself or other malicious files in the following locations:
- %AllUsersProfile%\qbothome\_qbotinj.exe
- %AllUsersProfile%\qbothome\_qbotnti.exe
- %AllUsersProfile%\qbothome\_qbot.dll
- %Userprofile%\Start Menu\Programs\Startup\startup.bat
Note: %AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).
The malware creates a mutex with one the following names, to ensure that only one copy of the worm runs on the infected machine:
- ~agbdw28sjhisad3
- ~e5d1417.tmp
- ~e5d141a.tmp
- ~e198ac781b.tmp
- ~e439125sl.tmp
- ~efd9452.tmp
The malware creates the following registry entry, to ensure its execution at system startup:
- Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
{Original Value} = "%AllUsersProfile%\qbothome\_qbotinj.exe"
"%AllUsersProfile%\qbothome\_qbot.dll" /c {Original Data}
Other variants could create the following registry entry instead:
- Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
- Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Runonce
Some variants may also register themselves as a service with the service name "_qbotinj" and display name "Windows DNS client".
Once the file is installed on a compromised machine, it will be owned by a domain admin account. Once the domain admin account is compromised the malware binary infects all other machines in the network by “Network Shares”. In most cases, the compromised machine will have the “admin$” and “C$” network shares on all the workstations and a compromised domain admin account.
Note : [‘$’ stands for network sharing]
By default, windows stores a local password hash for every cached login. Once a domain admin account is compromised, one has to assume that ALL passwords are now known for the entire network to the attacker. This worm also monitors keystrokes, which is easier than reversing the hashes to know the password of the compromised user to the attacker.
The malware attempts to connect to the following site to receive command instructions from an attacker:
The instructions received could include any of the following actions:
- Get malware install time
- Get malware version
- Get Current/Program Files/Windows directory
- Get IP Address and host name
- Get System Information
- Log keystrokes
- Steal cookies and certificates
- Monitor Favorites and visited URLs
- Steal passwords from Internet Explorer, MSN Messenger, and Outlook
- Steal Autocomplete information
- Download/Upload other files
- Terminate/Execute Files
- Perform FTP commands
- Perform IRC commands
- Remove/Update the copy of itself
This malware may connect to a predefined site that has the format below to download other component files or to update the copy of itself:
- hxxp://[Site]/cgi-bin/jl/jloader.pl?loadfile=q
- hxxp://[Site]/cgi-bin/jl/jloader.pl?loadfile=3d
- hxxp://[Site]/cgi-bin/exhandler3.pl
- hxxp://[Site]/cgi-bin/clientinfo3.pl
- hxxp://[Site]/cgi-bin/jl/jloader.pl?u=u/updates98.cb
- hxxp://[Site]/cgi-bin/jl/jloader.pl?u=u/updates1.cb
- hxxp://[Site]/cgi-bin/jl/jloader.pl?u=u/updates_%s.cb
The updates may be requested as password protected ZIP archives with password "Hello999W0rld777".
The malware could also download other configuration files with filenames such as the following:
- crontab.cb
- updates.cb
- updates1.cb
- updates<RANDOM>_new.cb
- _qbot.cb