Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 07 May 2009
Damage: High

Characteristics: W32.Qakbot is a worm. It spreads via network shares. The worm opens a back door on the infected computer. Using the back door, a hacker may steal information from the infected computer and download more files.

More details about W32.Qakbot

The worm W32.Qakbot propagates via resources shared on a network. When the worm infects your computer, it may steal personal information by checking on your email contacts, keystrokes and sites visited. It may also download more malware onto your computer. It also creates a back door and allows a hacker to access your system. The worm has been reported to exploit certain vulnerabilities on the infected computer. After the worm exploits certain vulnerabilities in your computer, it downloads threats and executes them. The threat downloads a password-protected ZIP file which contains the files _qbot.dll and _qbotinj.exe. It also contains the configuration files: qbot.cb, crontab.cb, and updates.cb. Next, the worm adds certain values to the registry to make sure it runs every time Windows starts. The worm may receive a command from a remote attacker and copies itself to the shared folder.

The worm attempts to steal the following information: DNS, IP, hostname, Outlook account, Cookie, Keystrokes, URLs visited, FTP server, account and password, IRC server, account and password.The settings of the infected computer can also inexplicably change through the W32.Qakbot program. This may involve turning off certain security features of the operating system. The Task Manager and System Restore features may be disabled to prevent detection and removal of the malware program. Programs can also be launched, installed, or executed without the user’s knowledge.