Bangkok--18 May--BitDefender
Steals bank account information, instant messenger credentials while downloading further malware on the compromised computer
Backdoor.Qakbot.H is a complex piece of malware (with worm, downloader and Trojan components) that spreads through peer-to-peer network shares and removable drives. Once on the system, it creates a backdoor and starts downloading additional malicious files, while snatching critical private information. It takes the unsuspecting user only to click on a malicious link from an infected webpage and the malware immediately lands on his computer. This infected executable file bears the icon of a shared folder, which allows the worm to hide in plain sight and also increases chances for a user to click on it and run the file.
Removable drives are also infection vectors for this piece of code.initialization file and the packed dll it drops in the resources. It adds the copy of itself at startup by duplicating a randomly-chosen legit registry key in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with one pointing to itself, thus ensuring that it will initialize upon every startup. The variant we analyzed points to C:\Documents and Settings\All Users\Application Data\Microsoft\uooeum6.exe. Furthermore, Backdoor.Qakbot.H installs a hook procedure meant to monitor messages posted to a message queue.
Qakbot will then inject into explorer.exe a piece of code that will eventually be used to create new processes. This is a common practice amongst malware creators as it allows them to conceal other spawned processes as children of explorer.exe. The Trojan creates the following processes: iexplore.exe; outlook.exe; firefox.exe; opera.exe; skype.exe; msnmsgr.exe; yahoomessenger.exe; chrome.exe; msmsgs.exe, processes which will be permanently monitored in a watchdog thread. If one of them is terminated, the piece of malware will re-launch it
This piece of malware has a great deal of features: ? to update or uninstall malware ? to steal passwords typed in the most popular browsers, such as Internet Explorer?, Firefox?,Chrome?, Opera? ? to steal login details from mail clients (Outlook? Express) or instant messaging & VoIP applications (Skype?, MSN? Messenger, Yahoo! ? Messenger ? to steal cookies ? to download files from FTP servers and runs them locally ? to join IRC servers (a must-have feature for the creation of botnets) ? to monitor a considerably lengthy list of e-banking sites ? to download further malware on the infected computer from a list of servers that it comes equipped with
On top of all these, Backdoor.Qakbot.H denies access to Windows? updates and attempts to kill any antivirus service it finds installed locally. In order to protect itself from removal tools or manual disinfection, it also blocks any connection to online scanning services. This way, it takes all the necessary precautions to remain undiscovered and better perform its tasks.
Since Quakbot injects in Internet Explorer? code that will be needed to download files from the Internet, its network traffic will likely circumvent the restrictions of some firewalls, which might ensure its functionality in a corporate environment. If internet connection is possible, Qakbot will try to send to its C&C center the following details regarding the infected computer:
Once the job is done, the dropper deletes itself through a .bat file; however copies of itself remain running in the Application Data folder.
This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.
Yours truly
For more information please contact: Sakuna Prasertsri Marketing Manager BitDefender (Thailand) http://bitdefender.th.apnw.net or Tel : 02-982-3355 # 114,081-916-4671.
Click for photo release at www.thaipr.net
ติดต่อเราได้ที่ facebook.com/newswit