Content

W32/Pinkslipbot

Type
Virus
SubType
Worm
Discovery Date
01/08/2007
Length
Varies
Minimum DAT
4934 (01/08/2007)
Updated DAT
Low
Home User
Low

Tab Navigation

Characteristics

Aliases

  • Kaspersky - Trojan-Downloader.Win32.Piker.ckt
  • Microsoft - Backdoor:Win32/Qakbot
  • NOD32 - Win32/Qbot.AO
  • Symantec - W32.Qakbot

-- Updated on January 26, 2012 ----

In addition to details previously described, the following characteristics may be observed for some variants.

Upon execution, it creates a directory in %Appdata%\Microsoft. Where it creates a copy of itself and drops additional components. Names of created directory and dropped files may vary for every infection.

Some are observed to create the following malware copies and components:

  • %AppData%\Microsoft\Uefci\uefc.dll
  • %AppData%\Microsoft\Uefci\uefci.dll
  • %AppData%\Microsoft\Uefci\uefci.dll.396454
  • %AppData%\Microsoft\Uefci\uefci.exe
  • %AppData%\Microsoft\Uefci\uefci32.dll

New in this variant is the addition of files dropped into a user directory other than the one that executed the malware. The files are dropped here:

  • %AppData%\Microsoft\Vjoufy\vjouf.dll
  • %AppData%\Microsoft\Vjoufy\vjoufy.dll
  • %AppData%\Microsoft\Vjoufy\vjoufy.exe

In order to execute the malware upon login for that user, the following file is added:

  • %UserDir%\Start Menu\Programs\Startup\vjoufy.lnk

In addition to the previous domains listed, the W32/Pinkslipbot may also contact the following domains:

  • corpgift.in
  • soros.in.ua

--------------------------------------

-- Updated on March 2, 2011 ----

Upon execution, it creates a directory in %Appdata%\Microsoft. Where it creates a copy of itself and drops additional components. Names of created directory and dropped files may vary for every infection.

Some are observed to create the following malware copies and components:

  • %Appdata%\Microsoft\eylzc\eylzc.exe
  • %Appdata%\Microsoft\eylzc\eylzcdq.dll
  • %Appdata%\Microsoft\eylzc\eylzcix.exe
  • %Appdata%\Microsoft\kxviad\kxviad.exe
  • %Appdata%\Microsoft\kxviad\q1.19181
  • %Appdata%\Microsoft\kxviad\.20997
  • %Appdata%\Microsoft\kxviad\qq11.22006
  • %Appdata%\Microsoft\kxviad\kxvia.dll

It also drops randomly named configuration and log files in the created directory.

To automatically execute at startup, it creates autostart registry entries. Some are seen to add the following:

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “ctfmon” = "%Appdata%\microsoft\kxviad\kxviad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    "dddikre" = "%Appdata%\microsoft\eylzc\eylzc.exe"

It may also modify some of the existing autostart registry entry, adding itself to the path:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    “[Application Name]” = ""%Appdata%\microsoft\kxviad\kxviad.exe" /c [Application path]

It could also creates a scheduled task (detected as W32/Pinkslipbot!job) to periodically execute a javascript file that it creates and uses to update itself.

It also hooks several Windows functions (API), hiding the files and registries mentioned above.

It connects to several domains to receive updates and configuration files:

  • nt15.in
  • nt002.cn
  • nt12.co.in
  • nt14.co.in
  • hotbar.com
  • cdcdcdcdc2121cdsfdfd.com
  • hostmeter.com
  • boogiewoogiekid.com
  • nt002.cn
  • up002.cn
  • adserv.co.in
  • up004.cn
  • up01.co.in
  • nt002.cn
  • nt010.cn
  • nt202.cn
  • up02.co.in
  • up03.in
  • up003.com.ua
  • nt15.in
  • nt16.in
  • swallowthewhistle.com
  • nt04.in
  • nt06.in
  • nt101.cn
  • b.nt002.cn
  • b.tn001.cn
  • b.rtbn2.cn
  • prstat.in
  • du01.in
  • du02.in
  • citypromo.info
  • spotrate.info
  • redserver.com.ua

Downloaded configuration file may include informations regarding IRC and FTP sites it could use for receiving commands and uploading stolen data. Information may include server ports, channels, usernames and passwords to use.

controller may perform any of the following:

  • update or download additional components
  • uninstall itself
  • perform ftp functionalities
  • upload files
  • kill process
  • gather system and malware information

Gathered system information may include the following:

  • ext_ip
  • dnsname
  • hostname
  • country
  • state
  • city
  • user
  • domain
  • os
  • time
  • cookies
  • msn user names and password
  • IE Password-Protected sites including login and password

Some variants creates a mutex object called “kxvia” to mark its presence and creates the following configuration files

  • crontab.cb
  • updates.cb
  • updates1.cb
  • _qbot.cb

Also it could monitor user traffic when users connect to websites that contain the following substrings.

  • business-eb.ibanking-services.com
  • treasury.pncbank.com
  • access.jpmorgan.com
  • ktt.key.com
  • onlineserv/CM
  • premierview.membersunited.org
  • directline4biz.com
  • onb.webcashmgmt.com
  • tmconnectweb
  • moneymanagergps.com
  • ibc.klikbca.com
  • directpay.wellsfargo.com
  • express.53.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • cpw-achweb.bankofamerica.com
  • cashproonline.bankofamerica.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com
  • treas-mgt.frostbank.com
  • web-cashplus.com
  • /cashplus/
  • /cashman/
  • ebanking-services.com
  • netconnect.bokf.com
  • business-eb.ibanking-services.com

[%Appdata%\ is C:\Documents and Settings\All Users\Application Data\]

Pinkslipbot can also spread over removable drives. Once the machine is infected, it will monitor for attached drive. If found it will create a copy of itself with the same filename of any directory on the drive.

-----------------------------------------------

Some variants of this bot are found to be using javascript to download

  • q1.dll (W32/Pinkslipbot)
  • q2l.exe (W32/Pinkslipbot)

This bot also creates a

Some variants of this bot drops a copy of itself and its components in the following directory:

  • %all users profile%\_qbothome\_qbotinj.exe (W32/Pinkslipbot)
  • %all users profile%\_qbothome\_qbot.dll (W32/Pinkslipbot!dll)

The following files are also created:

  • %all users profile%\_qbothome\crontab.cb
  • %all users profile%\_qbothome\q1.32672
  • %all users profile%\_qbothome\updates.cb
  • %all users profile%\_qbothome\_qbot.cb
  • %all users profile%\_qbothome\_qbot_installed

(Where %all users profile% is the Windows user profile folder, e.g. C:\Documents and Settings\All Users)

It Modifies existing autostart entries in the registry to automatically execute at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"[original application registry name]" = "[original application registry value]" ""%all users profile%\_qbothome\_qbotinj.exe" "%all users profile%\_qbothome\_qbot.dll" /c "[original application registry value]"

It then injects its dll component into iexplorer.exe.

It connects to the following domain to send information and receive commands.

  • a.rtbn[blocked].cn
  • zurnre[blocked].com
  • w1.webinspect[blocked].biz
  • ftp.eltawhee[blocked].com
  • www.cdcdcdcdc2121cds[blocked].com
  • hostrmeter.com
  • nt15.in
  • adserv.co.in

Information sent includes:

  • network information
  • geographic location
  • keystroke logs

Commands received includes malware update and install additional malware in the system.

This malware uses user mode API hooks within processes to hide its components. Some of the functions that are hooked are:

  • FindFirstFileA
  • FindFirstFileW
  • FindNextFileA
  • FindNextFileW
  • RegEnumValue
  • NtQuerySystemInformation

Symptoms

  • Existence of Registry keys files detailed above.
  • Unexpected connection to the domains mentioned.

Method of Infection

Some variants of this bot could be installed through exploits from compromised websites.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor:Win32/Qakbot.gen!A (Microsoft)
  • BKDR_QAKBOT.AF (TrendMicro)
  • W32.Qakbot (Symantec)

Characteristics

Characteristics -

Aliases

  • Kaspersky - Trojan-Downloader.Win32.Piker.ckt
  • Microsoft - Backdoor:Win32/Qakbot
  • NOD32 - Win32/Qbot.AO
  • Symantec - W32.Qakbot

-- Updated on January 26, 2012 ----

In addition to details previously described, the following characteristics may be observed for some variants.

Upon execution, it creates a directory in %Appdata%\Microsoft. Where it creates a copy of itself and drops additional components. Names of created directory and dropped files may vary for every infection.

Some are observed to create the following malware copies and components:

  • %AppData%\Microsoft\Uefci\uefc.dll
  • %AppData%\Microsoft\Uefci\uefci.dll
  • %AppData%\Microsoft\Uefci\uefci.dll.396454
  • %AppData%\Microsoft\Uefci\uefci.exe
  • %AppData%\Microsoft\Uefci\uefci32.dll

New in this variant is the addition of files dropped into a user directory other than the one that executed the malware. The files are dropped here:

  • %AppData%\Microsoft\Vjoufy\vjouf.dll
  • %AppData%\Microsoft\Vjoufy\vjoufy.dll
  • %AppData%\Microsoft\Vjoufy\vjoufy.exe

In order to execute the malware upon login for that user, the following file is added:

  • %UserDir%\Start Menu\Programs\Startup\vjoufy.lnk

In addition to the previous domains listed, the W32/Pinkslipbot may also contact the following domains:

  • corpgift.in
  • soros.in.ua

--------------------------------------

-- Updated on March 2, 2011 ----

Upon execution, it creates a directory in %Appdata%\Microsoft. Where it creates a copy of itself and drops additional components. Names of created directory and dropped files may vary for every infection.

Some are observed to create the following malware copies and components:

  • %Appdata%\Microsoft\eylzc\eylzc.exe
  • %Appdata%\Microsoft\eylzc\eylzcdq.dll
  • %Appdata%\Microsoft\eylzc\eylzcix.exe
  • %Appdata%\Microsoft\kxviad\kxviad.exe
  • %Appdata%\Microsoft\kxviad\q1.19181
  • %Appdata%\Microsoft\kxviad\.20997
  • %Appdata%\Microsoft\kxviad\qq11.22006
  • %Appdata%\Microsoft\kxviad\kxvia.dll

It also drops randomly named configuration and log files in the created directory.

To automatically execute at startup, it creates autostart registry entries. Some are seen to add the following:

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “ctfmon” = "%Appdata%\microsoft\kxviad\kxviad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    "dddikre" = "%Appdata%\microsoft\eylzc\eylzc.exe"

It may also modify some of the existing autostart registry entry, adding itself to the path:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    “[Application Name]” = ""%Appdata%\microsoft\kxviad\kxviad.exe" /c [Application path]

It could also creates a scheduled task (detected as W32/Pinkslipbot!job) to periodically execute a javascript file that it creates and uses to update itself.

It also hooks several Windows functions (API), hiding the files and registries mentioned above.

It connects to several domains to receive updates and configuration files:

  • nt15.in
  • nt002.cn
  • nt12.co.in
  • nt14.co.in
  • hotbar.com
  • cdcdcdcdc2121cdsfdfd.com
  • hostmeter.com
  • boogiewoogiekid.com
  • nt002.cn
  • up002.cn
  • adserv.co.in
  • up004.cn
  • up01.co.in
  • nt002.cn
  • nt010.cn
  • nt202.cn
  • up02.co.in
  • up03.in
  • up003.com.ua
  • nt15.in
  • nt16.in
  • swallowthewhistle.com
  • nt04.in
  • nt06.in
  • nt101.cn
  • b.nt002.cn
  • b.tn001.cn
  • b.rtbn2.cn
  • prstat.in
  • du01.in
  • du02.in
  • citypromo.info
  • spotrate.info
  • redserver.com.ua

Downloaded configuration file may include informations regarding IRC and FTP sites it could use for receiving commands and uploading stolen data. Information may include server ports, channels, usernames and passwords to use.

controller may perform any of the following:

  • update or download additional components
  • uninstall itself
  • perform ftp functionalities
  • upload files
  • kill process
  • gather system and malware information

Gathered system information may include the following:

  • ext_ip
  • dnsname
  • hostname
  • country
  • state
  • city
  • user
  • domain
  • os
  • time
  • cookies
  • msn user names and password
  • IE Password-Protected sites including login and password

Some variants creates a mutex object called “kxvia” to mark its presence and creates the following configuration files

  • crontab.cb
  • updates.cb
  • updates1.cb
  • _qbot.cb

Also it could monitor user traffic when users connect to websites that contain the following substrings.

  • business-eb.ibanking-services.com
  • treasury.pncbank.com
  • access.jpmorgan.com
  • ktt.key.com
  • onlineserv/CM
  • premierview.membersunited.org
  • directline4biz.com
  • onb.webcashmgmt.com
  • tmconnectweb
  • moneymanagergps.com
  • ibc.klikbca.com
  • directpay.wellsfargo.com
  • express.53.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • cpw-achweb.bankofamerica.com
  • cashproonline.bankofamerica.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com
  • treas-mgt.frostbank.com
  • web-cashplus.com
  • /cashplus/
  • /cashman/
  • ebanking-services.com
  • netconnect.bokf.com
  • business-eb.ibanking-services.com

[%Appdata%\ is C:\Documents and Settings\All Users\Application Data\]

Pinkslipbot can also spread over removable drives. Once the machine is infected, it will monitor for attached drive. If found it will create a copy of itself with the same filename of any directory on the drive.

-----------------------------------------------

Some variants of this bot are found to be using javascript to download

  • q1.dll (W32/Pinkslipbot)
  • q2l.exe (W32/Pinkslipbot)

This bot also creates a

Some variants of this bot drops a copy of itself and its components in the following directory:

  • %all users profile%\_qbothome\_qbotinj.exe (W32/Pinkslipbot)
  • %all users profile%\_qbothome\_qbot.dll (W32/Pinkslipbot!dll)

The following files are also created:

  • %all users profile%\_qbothome\crontab.cb
  • %all users profile%\_qbothome\q1.32672
  • %all users profile%\_qbothome\updates.cb
  • %all users profile%\_qbothome\_qbot.cb
  • %all users profile%\_qbothome\_qbot_installed

(Where %all users profile% is the Windows user profile folder, e.g. C:\Documents and Settings\All Users)

It Modifies existing autostart entries in the registry to automatically execute at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"[original application registry name]" = "[original application registry value]" ""%all users profile%\_qbothome\_qbotinj.exe" "%all users profile%\_qbothome\_qbot.dll" /c "[original application registry value]"

It then injects its dll component into iexplorer.exe.

It connects to the following domain to send information and receive commands.

  • a.rtbn[blocked].cn
  • zurnre[blocked].com
  • w1.webinspect[blocked].biz
  • ftp.eltawhee[blocked].com
  • www.cdcdcdcdc2121cds[blocked].com
  • hostrmeter.com
  • nt15.in
  • adserv.co.in

Information sent includes:

  • network information
  • geographic location
  • keystroke logs

Commands received includes malware update and install additional malware in the system.

This malware uses user mode API hooks within processes to hide its components. Some of the functions that are hooked are:

  • FindFirstFileA
  • FindFirstFileW
  • FindNextFileA
  • FindNextFileW
  • RegEnumValue
  • NtQuerySystemInformation

Symptoms

Symptoms -

  • Existence of Registry keys files detailed above.
  • Unexpected connection to the domains mentioned.

Method of Infection

Method of Infection -

Some variants of this bot could be installed through exploits from compromised websites.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

    N/A