Mal/Qbot-B

Category: Viruses and Spyware Protection available since:20 Nov 2009 21:11:51 (GMT)
Type: Malicious behavior Last Updated:17 Mar 2010 17:11:27 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Qbot-B include:

Example 1

File Information

Size
128K
SHA-1
01b04680122b84b7f59a25fcab03a2cc201d51ee
MD5
89d7d1038aa7fc3d2d3d1bdf0912f6c7
CRC-32
20192d84
File type
application/x-ms-dos-executable
First seen
2010-08-13

Other vendor detection

Kaspersky
Trojan.Win32.Regrun.hse

Runtime Analysis

Dropped Files
  • C:\WINDOWS\host32.exe
    Size
    1.3M
    SHA-1
    5180a29856ac7e3081f2b18f0b085880277a6659
    MD5
    100de774fe1ebfdeaeecc1a90309a27e
    CRC-32
    26892f26
    File type
    application/x-ms-dos-executable
    First seen
    2010-08-13
Registry Keys Created
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 e1 dd bd 18 3b cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Services\TDTCP\Enum
    0
    Root\LEGACY_TDTCP\0000
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
    PID
    PC_00025A0D
  • HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
    EnableConcurrentSessions
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\RDPWD\Enum
    Count
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    EnableConcurrentSessions
    0x00000001
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{1D42325C-4DD2-AAF4-0623-04F664A4E007}
    {30383039-6875-6966-6739-776575646866}
    47 09 f2 0d
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 e1 dd bd 18 3b cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe,
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
    fDenyTSConnections
    0x00000000
IP Connections
  • 193.104.146.12:443

Example 2

File Information

Size
907K
SHA-1
0ac09e88c59805962955d4e8052ac3785aa3fcc8
MD5
8de121798eaf33b957d58bf3ff4575f4
CRC-32
015cf43a
File type
application/x-ms-dos-executable
First seen
2010-09-08

Runtime Analysis

Dropped Files
  • C:\WINDOWS\system32\twext.exe
    Size
    979K
    SHA-1
    ee69cc5b8bcd67b3abef56daa894597940fcc3c2
    MD5
    08d35708bf03104e69d3813bab3010c8
    CRC-32
    42aabcf0
    File type
    application/x-ms-dos-executable
    First seen
    2010-09-08
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
Registry Keys Created
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 20 b8 0f f3 76 4f cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    {E716FA10-2031-AA96-8E72-93A205C5C62C}
    47 09 f2 0d
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_00021C67
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_00021F65
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network
    UID
    PC_00021E6B
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    3c 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 20 b8 0f f3 76 4f cb 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Cache
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    AppData
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HTTP Requests
  • http://fooofle.ru/nhjq/n09230945.asp
DNS Requests
  • fooofle.ru

Example 3

File Information

Size
135K
SHA-1
0d01da48dde211e6ca96a106f0b5d77efa1cf7ba
MD5
c4c65d318de7c7817b00a528b4ea5b1a
CRC-32
ff008c22
File type
application/x-ms-dos-executable
First seen
2010-08-13

Other vendor detection

Avira
TR/Crypt.XPACK.Gen
Kaspersky
Packed.Win32.Krap.hm

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy