Qbot Infostealer Trojan

October 15, 2010

SonicWALL UTM Research team observed reports of a new Qbot Infostealer Trojan variant being spammed in the wild via e-mail. The e-mail pretends to contain pictures of the sender and lures the user into opening them. The attachment is an executable file (pic.exe) and leads to compromise of confidential information.

The e-mail message looks like below:


Most e-mail clients with default security settings will block the attachment by default as it is an executable file. However, if the user manages to open the attached file then it will perform following activities:

  • Steals confidential information from victim machine including E-mail account credentials, Various website credentials, and confidential information stored in cookies. It stores the confidential information in encrypted format.
  • Blocks Antivirus updates as well as Google updates on the victim machine
  • Connects to a compromised domain going-wide.net and downloads newer variant of itself which was saved as:
    • (Temp)ky95.tmp.exe [Detected as GAV: Qbot.RP (Trojan)]
  • Drops following files on the victim machine:
    • (WINDOWS)system32 a.dll
    • (WINDOWS)system32 d.dll
    • (WINDOWS)system32 kkkkkkk
    • (WINDOWS)system32 n.dll
    • (WINDOWS)system32 ntcore.dll
    • (WINDOWS)system32 o.dll
    • (WINDOWS)system32 p.dll
    • It patches the following system file:
      • (WINDOWS)system32ole32.dll
    • Sample request that it uses to send confidential system information:


    • Sample runtime activity log from infected system:


    SonicWALL Gateway AntiVirus provides protection against this Information stealing Trojan variant via GAV: Qbot.RP (Trojan) signature.