Content

W32/Pinkslipbot

Type
Virus
SubType
Worm
Discovery Date
01/08/2007
Length
Varies
Minimum DAT
4934 (01/08/2007)
Updated DAT
6051 (07/22/2010)
Minimum Engine
5.3.00
Description Added
01/08/2007
Description Modified
06/10/2010 4:01 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Updated on June 10, 2010 ----

Aliases

  • Kaspersky  - Trojan-Downloader.Win32.Piker.ckt
  • Microsoft   - Backdoor:Win32/Qakbot
  • NOD32    - Win32/Qbot.AO
  • Symantec  - W32.Qakbot

When executed, the worm copies itself into the following location:

  • %Appdata%\microsoft\kxviad\kxviad.exe

And drops the following files

  • %Appdata%\Microsoft\kxviad\q1.19181 [Detected as W32/Pinkslipbot]
  • %Appdata%\Microsoft\kxviad\q1.20997 [Detected as W32/Pinkslipbot]
  • %Appdata%\Microsoft\kxviad\q1.22006 [Detected as W32/Pinkslipbot]
  • %Appdata%\Microsoft\kxviad\kxvia.dll

The following registry value has been added to the system

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “ctfmon” = "%Appdata%\microsoft\kxviad\kxviad.exe"

The above mentioned registry entry confirms that the Bot executes every time when windows starts.

The following registry value has been modified

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    “[Application Name]” = ""%Appdata%\microsoft\kxviad\kxviad.exe" /c [Application path]

The above mentioned registry entry confirms that the Bot executes every time when windows starts.

Once the users system is compromised, the worm connects to the following sites to receive bot commands and to perform malicious activities.

  • http://boogi[Removed]kid.com
  • http://hos[Removed]r.com
  • http://www.cdcd[Removed]sfdfd.com

And it steals the following system information

  • ext_ip
  • dnsname
  • hostname
  • country
  • state
  • city
  • user
  • domain
  • is_admin
  • os
  • time
  • qbot_version
  • install_time

The worm creates a mutex object called “kxvia” to mark its presence and creates the following configuration files

  • crontab.cb
  • updates.cb
  • updates1.cb
  • _qbot.cb

Also the worm monitors the following sites in the compromised system, when visited by the user.

  • business-eb.ibanking-services.com
  • treasury.pncbank.com
  • access.jpmorgan.com
  • ktt.key.com;onlineserv/CM
  • premierview.membersunited.org
  • directline4biz.com
  • onb.webcashmgmt.com
  • tmconnectweb
  • moneymanagergps.com
  • ibc.klikbca.com
  • directpay.wellsfargo.com
  • express.53.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • cpw-achweb.bankofamerica.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com

 [%Appdata%\ is C:\Documents and Settings\All Users\Application Data\]

-----------------------------------------------

Some variants of this bot are found to be using javascript to download

  • q1.dll (W32/Pinkslipbot)
  • q2l.exe (W32/Pinkslipbot)

This bot also creates a

Some variants of this bot drops a copy of itself and its components in the following directory:

  • %all users profile%\_qbothome\_qbotinj.exe (W32/Pinkslipbot)
  • %all users profile%\_qbothome\_qbot.dll (W32/Pinkslipbot!dll)

The following files are also created:

  • %all users profile%\_qbothome\crontab.cb
  • %all users profile%\_qbothome\q1.32672
  • %all users profile%\_qbothome\updates.cb
  • %all users profile%\_qbothome\_qbot.cb
  • %all users profile%\_qbothome\_qbot_installed 

(Where %all users profile% is the Windows user profile folder, e.g. C:\Documents and Settings\All Users)

It Modifies existing autostart entries in the registry to automatically execute at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"[original application registry name]" = "[original application registry value]" ""%all users profile%\_qbothome\_qbotinj.exe" "%all users profile%\_qbothome\_qbot.dll" /c "[original application registry value]"

It then injects its dll component into iexplorer.exe.

It connects to the following domain to send information and receive commands.

  • a.rtbn[blocked].cn
  • zurnre[blocked].com
  • w1.webinspect[blocked].biz
  • ftp.eltawhee[blocked].com
  • www.cdcdcdcdc2121cds[blocked].com

Information sent includes:

  • network information
  • geographic location
  • keystroke logs

Commands received includes malware update and install additional malware in the system.

Symptoms

  • Existence of Registry keys files detailed above.
  • Unexpected connection to the domains mentioned.

Method of Infection

Some variants of this bot could be installed through exploits from compromised websites.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor:Win32/Qakbot.gen!A (Microsoft)
  • BKDR_QAKBOT.AF (TrendMicro)
  • W32.Qakbot (Symantec)

Characteristics

Characteristics -

-- Updated on June 10, 2010 ----

Aliases

  • Kaspersky  - Trojan-Downloader.Win32.Piker.ckt
  • Microsoft   - Backdoor:Win32/Qakbot
  • NOD32    - Win32/Qbot.AO
  • Symantec  - W32.Qakbot

When executed, the worm copies itself into the following location:

  • %Appdata%\microsoft\kxviad\kxviad.exe

And drops the following files

  • %Appdata%\Microsoft\kxviad\q1.19181 [Detected as W32/Pinkslipbot]
  • %Appdata%\Microsoft\kxviad\q1.20997 [Detected as W32/Pinkslipbot]
  • %Appdata%\Microsoft\kxviad\q1.22006 [Detected as W32/Pinkslipbot]
  • %Appdata%\Microsoft\kxviad\kxvia.dll

The following registry value has been added to the system

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “ctfmon” = "%Appdata%\microsoft\kxviad\kxviad.exe"

The above mentioned registry entry confirms that the Bot executes every time when windows starts.

The following registry value has been modified

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    “[Application Name]” = ""%Appdata%\microsoft\kxviad\kxviad.exe" /c [Application path]

The above mentioned registry entry confirms that the Bot executes every time when windows starts.

Once the users system is compromised, the worm connects to the following sites to receive bot commands and to perform malicious activities.

  • http://boogi[Removed]kid.com
  • http://hos[Removed]r.com
  • http://www.cdcd[Removed]sfdfd.com

And it steals the following system information

  • ext_ip
  • dnsname
  • hostname
  • country
  • state
  • city
  • user
  • domain
  • is_admin
  • os
  • time
  • qbot_version
  • install_time

The worm creates a mutex object called “kxvia” to mark its presence and creates the following configuration files

  • crontab.cb
  • updates.cb
  • updates1.cb
  • _qbot.cb

Also the worm monitors the following sites in the compromised system, when visited by the user.

  • business-eb.ibanking-services.com
  • treasury.pncbank.com
  • access.jpmorgan.com
  • ktt.key.com;onlineserv/CM
  • premierview.membersunited.org
  • directline4biz.com
  • onb.webcashmgmt.com
  • tmconnectweb
  • moneymanagergps.com
  • ibc.klikbca.com
  • directpay.wellsfargo.com
  • express.53.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • cpw-achweb.bankofamerica.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com

 [%Appdata%\ is C:\Documents and Settings\All Users\Application Data\]

-----------------------------------------------

Some variants of this bot are found to be using javascript to download

  • q1.dll (W32/Pinkslipbot)
  • q2l.exe (W32/Pinkslipbot)

This bot also creates a

Some variants of this bot drops a copy of itself and its components in the following directory:

  • %all users profile%\_qbothome\_qbotinj.exe (W32/Pinkslipbot)
  • %all users profile%\_qbothome\_qbot.dll (W32/Pinkslipbot!dll)

The following files are also created:

  • %all users profile%\_qbothome\crontab.cb
  • %all users profile%\_qbothome\q1.32672
  • %all users profile%\_qbothome\updates.cb
  • %all users profile%\_qbothome\_qbot.cb
  • %all users profile%\_qbothome\_qbot_installed 

(Where %all users profile% is the Windows user profile folder, e.g. C:\Documents and Settings\All Users)

It Modifies existing autostart entries in the registry to automatically execute at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"[original application registry name]" = "[original application registry value]" ""%all users profile%\_qbothome\_qbotinj.exe" "%all users profile%\_qbothome\_qbot.dll" /c "[original application registry value]"

It then injects its dll component into iexplorer.exe.

It connects to the following domain to send information and receive commands.

  • a.rtbn[blocked].cn
  • zurnre[blocked].com
  • w1.webinspect[blocked].biz
  • ftp.eltawhee[blocked].com
  • www.cdcdcdcdc2121cds[blocked].com

Information sent includes:

  • network information
  • geographic location
  • keystroke logs

Commands received includes malware update and install additional malware in the system.

Symptoms

Symptoms -

  • Existence of Registry keys files detailed above.
  • Unexpected connection to the domains mentioned.

Method of Infection

Method of Infection -

Some variants of this bot could be installed through exploits from compromised websites.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A