% allusersprofile% qbothomeqbotinj.exe
% allusersprofile% qbothomeqbotnti.exe
% allusersprofile% qbothomealias_qbotnti.exe
% allusersprofile% qbothomeqbot.dll
% allusersprofile% qbothomemsadvapi32.dll
% allusersprofile% qbothomeq1.
with is a sequence of random digits. And those files are also created in external directories. Besides, they edit the following Registry key to automatically activate when the system starts:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
And the original registry key will be converted to:
""% allusersprofile% qbothome
qbotinj.exe ""% allusersprofile% qbothomeqbot.dll "/ c" "
with is the original value of the key.
The process of spread
They have self-replication mechanisms and spread through computers in the same network by copying themselves through the following directories or drives:
C $ Windowsq.dll
C $ Windowsq1.
ADMIN $ q.dll
ADMIN $ q1.
Payload method
After successful penetration, they will conduct analysis and download configuration files from the following addresses:
http:///www.cdcdcdcdc2121cdsf***.com/crontab.cb
http:///www.cdcdcdcdc2121cds**fd.com/updates.cb
http:///www.cdcdcdcdc2121c**fdfd.com/updates1.cb
http:///www.cdcdcdcdc**21cdsfdfd.com/_qbot.cb
Their main function is to collect and store all information when users declare on the forms available on the website, for example, online banking, accounts and payment systems such as Wells Fargo Bank , Bank Of America, Key Bank, PNC Bank, Fifth Third Bank, Regions Financial Corporation .
At this point, they can insert dynamic link libraries - dynamic-link library (qbot.dll) into empty addresses of iexplore.exe process (Internet Explorer browser).
On the other hand, they also steal the following information and data:
- Microsoft Outlook account
- MSN username and password
- Identify information of websites
- Data stored in Cookie
- Confirmed information in the form of digital signatures
Through the hacker's account or email listed in the previously downloaded configuration files, they will send the stolen information to the hacker's server.
Besides, Trojan-PSW.Win32.Qbot.mk also uses the above configuration files to get the address and channel number of IRC server (Internet Relay Chat) - used by hackers as a preventive method to control Control the infected computers. In fact, hackers use IRC to assign access to system files inside the computer, install and activate other types of malicious code. Or they can remove the malicious code from the computer with just one command - to avoid being detected by security programs.
Trojan-PSW.Win32.Qbot.mk updates are usually downloaded from the following address:
http:///nt0***.cn/cgi-bin/jl/jlo**der.pl
Simultaneously with this process, they will collect and send computer-specific information such as hostname, IP address, geographical location, operating system versions, date and system time . and information This information will be sent via:
http:///boogie****ekid.com/cgi-bin/cli**tinfo3.pl