Content
W32/Pinkslipbot
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 01/08/2007
- Length
- Varies
- Minimum DAT
- 4934 (01/08/2007)
- Updated DAT
- Low
- Home User
- Low
Tab Navigation
Characteristics
Aliases
- Kaspersky - Trojan-Downloader.Win32.Piker.ckt
- Microsoft - Backdoor:Win32/Qakbot
- NOD32 - Win32/Qbot.AO
- Symantec - W32.Qakbot
-- Updated on January 26, 2012 ----
In addition to details previously described, the following characteristics may be observed for some variants.
Upon execution, it creates a directory in %Appdata%\Microsoft. Where it creates a copy of itself and drops additional components. Names of created directory and dropped files may vary for every infection.
Some are observed to create the following malware copies and components:
- %AppData%\Microsoft\Uefci\uefc.dll
- %AppData%\Microsoft\Uefci\uefci.dll
- %AppData%\Microsoft\Uefci\uefci.dll.396454
- %AppData%\Microsoft\Uefci\uefci.exe
- %AppData%\Microsoft\Uefci\uefci32.dll
New in this variant is the addition of files dropped into a user directory other than the one that executed the malware. The files are dropped here:
- %AppData%\Microsoft\Vjoufy\vjouf.dll
- %AppData%\Microsoft\Vjoufy\vjoufy.dll
- %AppData%\Microsoft\Vjoufy\vjoufy.exe
In order to execute the malware upon login for that user, the following file is added:
- %UserDir%\Start Menu\Programs\Startup\vjoufy.lnk
In addition to the previous domains listed, the W32/Pinkslipbot may also contact the following domains:
- corpgift.in
- soros.in.ua
--------------------------------------
-- Updated on March 2, 2011 ----
Upon execution, it creates a directory in %Appdata%\Microsoft. Where it creates a copy of itself and drops additional components. Names of created directory and dropped files may vary for every infection.
Some are observed to create the following malware copies and components:
- %Appdata%\Microsoft\eylzc\eylzc.exe
- %Appdata%\Microsoft\eylzc\eylzcdq.dll
- %Appdata%\Microsoft\eylzc\eylzcix.exe
- %Appdata%\Microsoft\kxviad\kxviad.exe
- %Appdata%\Microsoft\kxviad\q1.19181
- %Appdata%\Microsoft\kxviad\.20997
- %Appdata%\Microsoft\kxviad\qq11.22006
- %Appdata%\Microsoft\kxviad\kxvia.dll
It also drops randomly named configuration and log files in the created directory.
To automatically execute at startup, it creates autostart registry entries. Some are seen to add the following:
- HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
“ctfmon” = "%Appdata%\microsoft\kxviad\kxviad.exe" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"dddikre" = "%Appdata%\microsoft\eylzc\eylzc.exe"
It may also modify some of the existing autostart registry entry, adding itself to the path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
“[Application Name]” = ""%Appdata%\microsoft\kxviad\kxviad.exe" /c [Application path]
It could also creates a scheduled task (detected as W32/Pinkslipbot!job) to periodically execute a javascript file that it creates and uses to update itself.
It also hooks several Windows functions (API), hiding the files and registries mentioned above.
It connects to several domains to receive updates and configuration files:
- nt15.in
- nt002.cn
- nt12.co.in
- nt14.co.in
- hotbar.com
- cdcdcdcdc2121cdsfdfd.com
- hostmeter.com
- boogiewoogiekid.com
- nt002.cn
- up002.cn
- adserv.co.in
- up004.cn
- up01.co.in
- nt002.cn
- nt010.cn
- nt202.cn
- up02.co.in
- up03.in
- up003.com.ua
- nt15.in
- nt16.in
- swallowthewhistle.com
- nt04.in
- nt06.in
- nt101.cn
- b.nt002.cn
- b.tn001.cn
- b.rtbn2.cn
- prstat.in
- du01.in
- du02.in
- citypromo.info
- spotrate.info
- redserver.com.ua
Downloaded configuration file may include informations regarding IRC and FTP sites it could use for receiving commands and uploading stolen data. Information may include server ports, channels, usernames and passwords to use.
controller may perform any of the following:
- update or download additional components
- uninstall itself
- perform ftp functionalities
- upload files
- kill process
- gather system and malware information
Gathered system information may include the following:
- ext_ip
- dnsname
- hostname
- country
- state
- city
- user
- domain
- os
- time
- cookies
- msn user names and password
- IE Password-Protected sites including login and password
Some variants creates a mutex object called “kxvia” to mark its presence and creates the following configuration files
- crontab.cb
- updates.cb
- updates1.cb
- _qbot.cb
Also it could monitor user traffic when users connect to websites that contain the following substrings.
- business-eb.ibanking-services.com
- treasury.pncbank.com
- access.jpmorgan.com
- ktt.key.com
- onlineserv/CM
- premierview.membersunited.org
- directline4biz.com
- onb.webcashmgmt.com
- tmconnectweb
- moneymanagergps.com
- ibc.klikbca.com
- directpay.wellsfargo.com
- express.53.com
- itreasury.regions.com
- itreasurypr.regions.com
- cpw-achweb.bankofamerica.com
- cashproonline.bankofamerica.com
- businessaccess.citibank.citigroup.com
- businessonline.huntington.com
- treas-mgt.frostbank.com
- web-cashplus.com
- /cashplus/
- /cashman/
- ebanking-services.com
- netconnect.bokf.com
- business-eb.ibanking-services.com
[%Appdata%\ is C:\Documents and Settings\All Users\Application Data\]
Pinkslipbot can also spread over removable drives. Once the machine is infected, it will monitor for attached drive. If found it will create a copy of itself with the same filename of any directory on the drive.
-----------------------------------------------
Some variants of this bot are found to be using javascript to download
- q1.dll (W32/Pinkslipbot)
- q2l.exe (W32/Pinkslipbot)
This bot also creates a
- _qbotjfiwrg.job (W32/Pinkslipbot!job)(to run the javascript periodically.)
- icsmg.js (JS/Downloader-AH)
Some variants of this bot drops a copy of itself and its components in the following directory:
- %all users profile%\_qbothome\_qbotinj.exe (W32/Pinkslipbot)
- %all users profile%\_qbothome\_qbot.dll (W32/Pinkslipbot!dll)
The following files are also created:
- %all users profile%\_qbothome\crontab.cb
- %all users profile%\_qbothome\q1.32672
- %all users profile%\_qbothome\updates.cb
- %all users profile%\_qbothome\_qbot.cb
- %all users profile%\_qbothome\_qbot_installed
(Where %all users profile% is the Windows user profile folder, e.g. C:\Documents and Settings\All Users)
It Modifies existing autostart entries in the registry to automatically execute at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"[original application registry name]" = "[original application registry value]" ""%all users profile%\_qbothome\_qbotinj.exe" "%all users profile%\_qbothome\_qbot.dll" /c "[original application registry value]"
It then injects its dll component into iexplorer.exe.
It connects to the following domain to send information and receive commands.
- a.rtbn[blocked].cn
- zurnre[blocked].com
- w1.webinspect[blocked].biz
- ftp.eltawhee[blocked].com
- www.cdcdcdcdc2121cds[blocked].com
- hostrmeter.com
- nt15.in
- adserv.co.in
Information sent includes:
- network information
- geographic location
- keystroke logs
Commands received includes malware update and install additional malware in the system.
This malware uses user mode API hooks within processes to hide its components. Some of the functions that are hooked are:
- FindFirstFileA
- FindFirstFileW
- FindNextFileA
- FindNextFileW
- RegEnumValue
- NtQuerySystemInformation
Symptoms
- Existence of Registry keys files detailed above.
- Unexpected connection to the domains mentioned.
Method of Infection
Some variants of this bot could be installed through exploits from compromised websites.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- Backdoor:Win32/Qakbot.gen!A (Microsoft)
- BKDR_QAKBOT.AF (TrendMicro)
- W32.Qakbot (Symantec)
Characteristics
Characteristics -
Aliases
- Kaspersky - Trojan-Downloader.Win32.Piker.ckt
- Microsoft - Backdoor:Win32/Qakbot
- NOD32 - Win32/Qbot.AO
- Symantec - W32.Qakbot
-- Updated on January 26, 2012 ----
In addition to details previously described, the following characteristics may be observed for some variants.
Upon execution, it creates a directory in %Appdata%\Microsoft. Where it creates a copy of itself and drops additional components. Names of created directory and dropped files may vary for every infection.
Some are observed to create the following malware copies and components:
- %AppData%\Microsoft\Uefci\uefc.dll
- %AppData%\Microsoft\Uefci\uefci.dll
- %AppData%\Microsoft\Uefci\uefci.dll.396454
- %AppData%\Microsoft\Uefci\uefci.exe
- %AppData%\Microsoft\Uefci\uefci32.dll
New in this variant is the addition of files dropped into a user directory other than the one that executed the malware. The files are dropped here:
- %AppData%\Microsoft\Vjoufy\vjouf.dll
- %AppData%\Microsoft\Vjoufy\vjoufy.dll
- %AppData%\Microsoft\Vjoufy\vjoufy.exe
In order to execute the malware upon login for that user, the following file is added:
- %UserDir%\Start Menu\Programs\Startup\vjoufy.lnk
In addition to the previous domains listed, the W32/Pinkslipbot may also contact the following domains:
- corpgift.in
- soros.in.ua
--------------------------------------
-- Updated on March 2, 2011 ----
Upon execution, it creates a directory in %Appdata%\Microsoft. Where it creates a copy of itself and drops additional components. Names of created directory and dropped files may vary for every infection.
Some are observed to create the following malware copies and components:
- %Appdata%\Microsoft\eylzc\eylzc.exe
- %Appdata%\Microsoft\eylzc\eylzcdq.dll
- %Appdata%\Microsoft\eylzc\eylzcix.exe
- %Appdata%\Microsoft\kxviad\kxviad.exe
- %Appdata%\Microsoft\kxviad\q1.19181
- %Appdata%\Microsoft\kxviad\.20997
- %Appdata%\Microsoft\kxviad\qq11.22006
- %Appdata%\Microsoft\kxviad\kxvia.dll
It also drops randomly named configuration and log files in the created directory.
To automatically execute at startup, it creates autostart registry entries. Some are seen to add the following:
- HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
“ctfmon” = "%Appdata%\microsoft\kxviad\kxviad.exe" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"dddikre" = "%Appdata%\microsoft\eylzc\eylzc.exe"
It may also modify some of the existing autostart registry entry, adding itself to the path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
“[Application Name]” = ""%Appdata%\microsoft\kxviad\kxviad.exe" /c [Application path]
It could also creates a scheduled task (detected as W32/Pinkslipbot!job) to periodically execute a javascript file that it creates and uses to update itself.
It also hooks several Windows functions (API), hiding the files and registries mentioned above.
It connects to several domains to receive updates and configuration files:
- nt15.in
- nt002.cn
- nt12.co.in
- nt14.co.in
- hotbar.com
- cdcdcdcdc2121cdsfdfd.com
- hostmeter.com
- boogiewoogiekid.com
- nt002.cn
- up002.cn
- adserv.co.in
- up004.cn
- up01.co.in
- nt002.cn
- nt010.cn
- nt202.cn
- up02.co.in
- up03.in
- up003.com.ua
- nt15.in
- nt16.in
- swallowthewhistle.com
- nt04.in
- nt06.in
- nt101.cn
- b.nt002.cn
- b.tn001.cn
- b.rtbn2.cn
- prstat.in
- du01.in
- du02.in
- citypromo.info
- spotrate.info
- redserver.com.ua
Downloaded configuration file may include informations regarding IRC and FTP sites it could use for receiving commands and uploading stolen data. Information may include server ports, channels, usernames and passwords to use.
controller may perform any of the following:
- update or download additional components
- uninstall itself
- perform ftp functionalities
- upload files
- kill process
- gather system and malware information
Gathered system information may include the following:
- ext_ip
- dnsname
- hostname
- country
- state
- city
- user
- domain
- os
- time
- cookies
- msn user names and password
- IE Password-Protected sites including login and password
Some variants creates a mutex object called “kxvia” to mark its presence and creates the following configuration files
- crontab.cb
- updates.cb
- updates1.cb
- _qbot.cb
Also it could monitor user traffic when users connect to websites that contain the following substrings.
- business-eb.ibanking-services.com
- treasury.pncbank.com
- access.jpmorgan.com
- ktt.key.com
- onlineserv/CM
- premierview.membersunited.org
- directline4biz.com
- onb.webcashmgmt.com
- tmconnectweb
- moneymanagergps.com
- ibc.klikbca.com
- directpay.wellsfargo.com
- express.53.com
- itreasury.regions.com
- itreasurypr.regions.com
- cpw-achweb.bankofamerica.com
- cashproonline.bankofamerica.com
- businessaccess.citibank.citigroup.com
- businessonline.huntington.com
- treas-mgt.frostbank.com
- web-cashplus.com
- /cashplus/
- /cashman/
- ebanking-services.com
- netconnect.bokf.com
- business-eb.ibanking-services.com
[%Appdata%\ is C:\Documents and Settings\All Users\Application Data\]
Pinkslipbot can also spread over removable drives. Once the machine is infected, it will monitor for attached drive. If found it will create a copy of itself with the same filename of any directory on the drive.
-----------------------------------------------
Some variants of this bot are found to be using javascript to download
- q1.dll (W32/Pinkslipbot)
- q2l.exe (W32/Pinkslipbot)
This bot also creates a
- _qbotjfiwrg.job (W32/Pinkslipbot!job)(to run the javascript periodically.)
- icsmg.js (JS/Downloader-AH)
Some variants of this bot drops a copy of itself and its components in the following directory:
- %all users profile%\_qbothome\_qbotinj.exe (W32/Pinkslipbot)
- %all users profile%\_qbothome\_qbot.dll (W32/Pinkslipbot!dll)
The following files are also created:
- %all users profile%\_qbothome\crontab.cb
- %all users profile%\_qbothome\q1.32672
- %all users profile%\_qbothome\updates.cb
- %all users profile%\_qbothome\_qbot.cb
- %all users profile%\_qbothome\_qbot_installed
(Where %all users profile% is the Windows user profile folder, e.g. C:\Documents and Settings\All Users)
It Modifies existing autostart entries in the registry to automatically execute at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"[original application registry name]" = "[original application registry value]" ""%all users profile%\_qbothome\_qbotinj.exe" "%all users profile%\_qbothome\_qbot.dll" /c "[original application registry value]"
It then injects its dll component into iexplorer.exe.
It connects to the following domain to send information and receive commands.
- a.rtbn[blocked].cn
- zurnre[blocked].com
- w1.webinspect[blocked].biz
- ftp.eltawhee[blocked].com
- www.cdcdcdcdc2121cds[blocked].com
- hostrmeter.com
- nt15.in
- adserv.co.in
Information sent includes:
- network information
- geographic location
- keystroke logs
Commands received includes malware update and install additional malware in the system.
This malware uses user mode API hooks within processes to hide its components. Some of the functions that are hooked are:
- FindFirstFileA
- FindFirstFileW
- FindNextFileA
- FindNextFileW
- RegEnumValue
- NtQuerySystemInformation
Symptoms
Symptoms -
- Existence of Registry keys files detailed above.
- Unexpected connection to the domains mentioned.
Method of Infection
Method of Infection -
Some variants of this bot could be installed through exploits from compromised websites.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants -
N/A