Description of template Trojan-PSW.Win32.Qbot.mk

Classified as Trojan-PSW - for the purpose of stealing personal information, accounts include user login and password access on the infected computer. PSW is an acronym for Password Stealing Ware

QuanTriMang.com - Classified as Trojan-PSW - for the purpose of stealing personal information, accounts include user login and password of access on the infected computer. PSW is an acronym for Password Stealing Ware .

When activated on the computer, the Trojan PSW will search all system files that can store the registry credentials or keys. If such data patterns are found, they will immediately send to the driver's account behind via email, FTP, website or any other suitable form. Some types of similar Trojans also steal user registration software registration information.

Trojan-PSW.Win32.Qbot.mk , also known as Trojan-Downloader.Win32.Piker.cjs - are all detected and classified by Kaspersky.

They were first discovered on May 27, 2010 at 11:14 GMT, beginning on the same day - May 27, 2010 at 18:10 GMT, but until July 2, 2010 - 08: 11 GMT, the detailed analysis information will be published.

Detailed technical analysis

Outside of the main task of stealing user account information, they also act as a bridge to hackers to hack and control the victim's computer. In essence, they are Windows PE files in * .exe format, with an average capacity of about 85 kilobytes and their source code set written in C language.

In the process of entering computers, they will produce the following files from the inner body:

% allusersprofile% qbothomeqbotinj.exe
% allusersprofile% qbothomeqbotnti.exe
% allusersprofile% qbothomealias_qbotnti.exe
% allusersprofile% qbothomeqbot.dll
% allusersprofile% qbothomemsadvapi32.dll
% allusersprofile% qbothomeq1.

with is a sequence of random digits. And those files are also created in external directories. Besides, they edit the following Registry key to automatically activate when the system starts:

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]

And the original registry key will be converted to:

""% allusersprofile% qbothome
qbotinj.exe ""% allusersprofile% qbothomeqbot.dll "/ c" "

with is the original value of the key.

The process of spread

They have self-replication mechanisms and spread through computers in the same network by copying themselves through the following directories or drives:

C $ Windowsq.dll
C $ Windowsq1.
ADMIN $ q.dll
ADMIN $ q1.

Payload method

After successful penetration, they will conduct analysis and download configuration files from the following addresses:

http:///www.cdcdcdcdc2121cdsf***.com/crontab.cb
http:///www.cdcdcdcdc2121cds**fd.com/updates.cb
http:///www.cdcdcdcdc2121c**fdfd.com/updates1.cb
http:///www.cdcdcdcdc**21cdsfdfd.com/_qbot.cb

Their main function is to collect and store all information when users declare on the forms available on the website, for example, online banking, accounts and payment systems such as Wells Fargo Bank , Bank Of America, Key Bank, PNC Bank, Fifth Third Bank, Regions Financial Corporation .

At this point, they can insert dynamic link libraries - dynamic-link library (qbot.dll) into empty addresses of iexplore.exe process (Internet Explorer browser).

On the other hand, they also steal the following information and data:
- Microsoft Outlook account
- MSN username and password
- Identify information of websites
- Data stored in Cookie
- Confirmed information in the form of digital signatures

Through the hacker's account or email listed in the previously downloaded configuration files, they will send the stolen information to the hacker's server.

Besides, Trojan-PSW.Win32.Qbot.mk also uses the above configuration files to get the address and channel number of IRC server (Internet Relay Chat) - used by hackers as a preventive method to control Control the infected computers. In fact, hackers use IRC to assign access to system files inside the computer, install and activate other types of malicious code. Or they can remove the malicious code from the computer with just one command - to avoid being detected by security programs.

Trojan-PSW.Win32.Qbot.mk updates are usually downloaded from the following address:

http:///nt0***.cn/cgi-bin/jl/jlo**der.pl

Simultaneously with this process, they will collect and send computer-specific information such as hostname, IP address, geographical location, operating system versions, date and system time . and information This information will be sent via:

http:///boogie****ekid.com/cgi-bin/cli**tinfo3.pl

4 ★ | 2 Vote