Remove W32.Qakbot

Posted on: May 11th, 2009


Discovered: May 7, 2009
Updated:

May 7, 2009 11:35:45 AM
Type:

Worm
Systems Affected:

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Recommended Action:
In order to Remove W32.Qakbot you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of Remove W32.Qakbot ..

No Adware Review

Technical Details:

It has been reported that the following malicious Javascript may exploit certain
vulnerabilities and download the threat on to the compromised computer:
[http://]b.rtbn2.cn/E/[REMOVED]

The above script exploits the following vulnerabilities:

* Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness
(BID 10514)
* Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability (BID 21829)

The exploit code then downloads the threat from the following location and executes
it:[http://]a.rtbn2.cn

When the threat is executed, it downloads a password-protected .zip file from
following server:
[http://]a.rtbn2.cn/cgi-bin/jl/jload[REMOVED]

The .zip file contains the following updated files:

* _qbot.dll
* _qbotinj.exe

It also contains the following configuration files:

* _qbot.cb
* crontab.cb
* updates.cb

The above files are extracted to following location:
C:\Documents And Settings\All Users\_qbothome

Next, the worm creates the following registry entry so that it executes whenever
Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\"[LEGITIMATE APPLICATION NAME]" = "\"C:\Documents And Settings\
All Users\_qbothome\_qbotinj.exe\" \"C:\Documents And Settings\All Users\_qbothome
\_qbot.dll\" /c [PATH TO LEGITIMATE APPLICATION]"

Note: [LEGITIMATE APPLICATION NAME] is a legitimate program that already
exists on the computer and is chosen randomly by the threat.

It then injects a component of itself into the iexplore.exe process.

The worm attempts to steal the following information:

* DNS, IP, hostname
* Outlook account
* Cookie
* Keystrokes
* URLs visited
* FTP server, account and password
* IRC server, account and password

It then connects to the following server to check for an Internet connection:

http://www.cdcdcdcdc2121cdsfdfd.com

Next, the worm notifies the malware author of the infection by accessing the following
URL:
[http://]w1.webinspector.biz/cgi-bin/jl/jload[REMOVED]

It also contacts following the servers in order to obtain updated versions of itself,
configuration files, and to send stolen information:

* [http://]a.rtbn2.cn/cgi-bin/jl/jload[REMOVED]
* [http://]c.rtbn2.cn/cgi-bin/jl/jload[REMOVED]
* [http://]adserv.co.in/u/updat[REMOVED]

The worm may receive a command from a remote attacker to enumerate network
resources. If any resources are found, the worm copies itself to the shared folder.

It may also download and create following files:

* C:\Documents And Settings\All Users\_qbothome\~e5d1417.tmp
* C:\Documents And Settings\All Users\_qbothome\~e5d141a.tmp
* C:\Documents And Settings\All Users\_qbothome\~e198ac781b.tmp
* C:\Documents And Settings\All Users\_qbothome\~e439125sl.tmp
* C:\Documents And Settings\All Users\_qbothome\~efd9452.tmp
* C:\Documents And Settings\All Users\_qbothome\_installed
* C:\Documents And Settings\All Users\_qbothome\msadvapi32.dll
* C:\Documents And Settings\All Users\_qbothome\_qbotnti.exe
* C:\Documents And Settings\All Users\_qbothome\uninstall.tmp
Action Steps:
FREE SCAN: NoAdware can Remove W32.Qakbot. Click the link below for your free download & scan your PC now.

Please click here for manual removal instructions.

Posted on Monday, May 11th, 2009 at 5:33 am - filed under Blog, Worm.