Home Malware Programs Spyware Qakbot

Qakbot

Posted: May 22, 2009

W32.Qakbot is a worm that spreads through resources shared on a network. Once Qakbot nestles into your computer, the worm may then steal personal information (think Outlook, FTP logins, keystrokes typed, sites visited, etc.), download more badware onto your PC, and allow a hacker to access your system. Remove immediately.

Aliases

BKDR_QAKBOT.AF [Trend]BKDR_QAKBOT.AF [Trend]

File System Modifications

  • The following files were created in the system:
    # File Name
    1 _qbot.cb
    2 _qbot.dll
    3 _qbotinj.exe
    4 C:\Documents And Settings\All Users\_qbothome
    5 C:\Documents And Settings\All Users\_qbothome\_installed
    6 C:\Documents And Settings\All Users\_qbothome\_qbotnti.exe
    7 C:\Documents And Settings\All Users\_qbothome\msadvapi32.dll
    8 C:\Documents And Settings\All Users\_qbothome\uninstall.tmp
    9 C:\Documents And Settings\All Users\_qbothome\~e198ac781b.tmp
    10 C:\Documents And Settings\All Users\_qbothome\~e439125sl.tmp
    11 C:\Documents And Settings\All Users\_qbothome\~e5d1417.tmp
    12 C:\Documents And Settings\All Users\_qbothome\~e5d141a.tmp
    13 C:\Documents And Settings\All Users\_qbothome\~efd9452.tmp
    14 crontab.cb
    15 updates.cb

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}* "Name of Legit App" and "Legit App File Path" refers to an existing, legitimate application on your PC that the worm has chosen at random.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[Name of Legit Program*]" = "\"C:\Documents And Settings\All Users\_qbothome\_qbotinj.exe\" \"C:\Documents And Settings\All Users\_qbothome\_qbot.dll\" /c [Legit Program File Path*]"

Related Posts

Loading...