Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Description of template Trojan-PSW.Win32.Qbot.mk
QuanTriMang.com - Classified as Trojan-PSW - for the purpose of stealing personal information, accounts include user login and password of access on the infected computer. PSW is an acronym for Password Stealing Ware .
When activated on the computer, the Trojan PSW will search all system files that can store the registry credentials or keys. If such data patterns are found, they will immediately send to the driver's account behind via email, FTP, website or any other suitable form. Some types of similar Trojans also steal user registration software registration information.
Trojan-PSW.Win32.Qbot.mk , also known as Trojan-Downloader.Win32.Piker.cjs - are all detected and classified by Kaspersky.
They were first discovered on May 27, 2010 at 11:14 GMT, beginning on the same day - May 27, 2010 at 18:10 GMT, but until July 2, 2010 - 08: 11 GMT, the detailed analysis information will be published.
Detailed technical analysis
Outside of the main task of stealing user account information, they also act as a bridge to hackers to hack and control the victim's computer. In essence, they are Windows PE files in * .exe format, with an average capacity of about 85 kilobytes and their source code set written in C language.
In the process of entering computers, they will produce the following files from the inner body:
% allusersprofile% qbothomeqbotinj.exe
% allusersprofile% qbothomeqbotnti.exe
% allusersprofile% qbothomealias_qbotnti.exe
% allusersprofile% qbothomeqbot.dll
% allusersprofile% qbothomemsadvapi32.dll
% allusersprofile% qbothomeq1.
with is a sequence of random digits. And those files are also created in external directories. Besides, they edit the following Registry key to automatically activate when the system starts:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
And the original registry key will be converted to:
""% allusersprofile% qbothome
qbotinj.exe ""% allusersprofile% qbothomeqbot.dll "/ c" "
with is the original value of the key.
The process of spread
They have self-replication mechanisms and spread through computers in the same network by copying themselves through the following directories or drives:
C $ Windowsq.dll
C $ Windowsq1.
ADMIN $ q.dll
ADMIN $ q1.
Payload method
After successful penetration, they will conduct analysis and download configuration files from the following addresses:
http:///www.cdcdcdcdc2121cdsf***.com/crontab.cb
http:///www.cdcdcdcdc2121cds**fd.com/updates.cb
http:///www.cdcdcdcdc2121c**fdfd.com/updates1.cb
http:///www.cdcdcdcdc**21cdsfdfd.com/_qbot.cb
Their main function is to collect and store all information when users declare on the forms available on the website, for example, online banking, accounts and payment systems such as Wells Fargo Bank , Bank Of America, Key Bank, PNC Bank, Fifth Third Bank, Regions Financial Corporation .
At this point, they can insert dynamic link libraries - dynamic-link library (qbot.dll) into empty addresses of iexplore.exe process (Internet Explorer browser).
On the other hand, they also steal the following information and data:
- Microsoft Outlook account
- MSN username and password
- Identify information of websites
- Data stored in Cookie
- Confirmed information in the form of digital signatures
Through the hacker's account or email listed in the previously downloaded configuration files, they will send the stolen information to the hacker's server.
Besides, Trojan-PSW.Win32.Qbot.mk also uses the above configuration files to get the address and channel number of IRC server (Internet Relay Chat) - used by hackers as a preventive method to control Control the infected computers. In fact, hackers use IRC to assign access to system files inside the computer, install and activate other types of malicious code. Or they can remove the malicious code from the computer with just one command - to avoid being detected by security programs.
Trojan-PSW.Win32.Qbot.mk updates are usually downloaded from the following address:
http:///nt0***.cn/cgi-bin/jl/jlo**der.pl
Simultaneously with this process, they will collect and send computer-specific information such as hostname, IP address, geographical location, operating system versions, date and system time . and information This information will be sent via:
http:///boogie****ekid.com/cgi-bin/cli**tinfo3.pl
David PacYou should read it
- Kaspersky's free support security utilities
- Trojan-Downloader.Win32.Agent.mee
- Description of template Trojan.Win32.Oficla.w
- Trojan-Downloader_Win32_Agent.nmi
- Trojan-PSW.Win32.OnLineGames.rlh
- Instructions to remove Safesoft Trojan (WIN32.Zafi.B virus)
- Description of Trojan-Banker.Win32.Banz.cri template
- Learn about the Trojan.Win32.FraudPack.bkhe template
- Trojan-Dropper.Win32.Agent.albv
- What is Trojan Dropper?
- Vietnam ranked 8th in the rate of virus infection
- Hidden Trojan alerts in MP3 music files
Maybe you are interested
What information can your ISP see when you turn on a VPN?
How to set up personal safety information on Android
What information does a VPN hide? How does it protect your data?
Instructions for changing and editing music file information using 3uTools
Detecting a new ransomware strain that specializes in stealing login information from the Chrome browser
Meta 'death' of CrowdTangle, tool to track false information
Description of Trojan-Banker.Win32.Banz.cri template
Description of template Trojan.Win32.Oficla.w
Virus spread through Yahoo! Messenger back
Virus alerts call for downloading sex videos in email
People infected with computer viruses!
Germany: Buy Samsung Wave to be 'promoted' malicious code