As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011. It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected system and how far it was able to get within that system.
With a number of organizations impacted by this virus at an enormous rate (90% or higher internal infection), this virus has actually proven the most complex that I have had to deal with cleanup. This may be due to it being the first Zero Day infection that I personally witnessed.
IMPORTANT - The information and eradication steps provided below are written with the assumption that you understand how to read and modify your system registry, security settings, and basic system commands. Performing any of these operations incorrectly could seriously damage your computer. If you do not understand the information provided and you are not confident you can handle this process by yourself, take your computer to a skilled professional for service.
Resident Location and Behavior
This variant of Qakbot starts with a randomly named executable (EXE) file in the root of the boot drive on a Microsoft Windows based system. It doesn't matter if it is Windows 7, 2000, XP, or Vista - or Windows Server 2000, 2003 or 2008 for that matter.
A Windows service is created and started to launch the virus into memory, allowing it to propagate deeper into the computer - as it acts using the "System" account. If multiple computers in your environment are infected, you may show several randomly named services on the computer.
The Qakbot virus will disable your antivirus product by removing the Access Control List (ACL) from the folder containing the antivirus common files. In our case, Symantec Corporate Anti-virus was impacted.
Once the virus disables your anti-virus, it can begin spreading within this computer and to other computers in your network. The initial EXE file might be deleted by the virus, after infection, as it automatically disables and marks the service it created for deletion. The service(s) should disappear after a reboot.
The virus creates a new randomly named folder containing similarly executable files and dynamic link library (DLL) files within the "All Users" profile on the system. Since the virus uses system variables for locating storage points, the base location changes with the operating system version and configuration.
C:\Documents and Settings\All Users\Application Data\Microsoft
In many cases a randomly named task is scheduled presumably to allow the virus to call home to share information collected or to check for updates and reinfect the computer accordingly. This task runs a Java-based script stored as a random name with extension ZBZ or ZBR in the %systemRoot%\Temp folder (i.e. C:\Windows\Temp), every four hours indefinitely.
Also residing in the %systemroot%\Temp folder may be a temporary (TMP) file which starts with a tilde ( ~ ) and a similar name to the other virus files. This tends to be zero bytes and contain no virus data. I believe this file was a temporary storage during creation of the other virus files.
The virus will create startup items in the registry of your infected system. There will be one or more randomly named items that launch the virus executable file. The virus may also modify existing startup items to launch the virus along with the originally intended application – this may launch the EXE or DLL version of the virus.
32-bit systems - HKLM\Software\Microsoft\Wi
64-bit systems - HKLM\Software\Wow6432Node\
The virus enables hiding of “System Protected” files to help it hide itself. While loaded in memory, even after disabling this setting, the virus may mask your ability to see the running virus processes and folder containing virus files.
With the information I provided above combined with the greater detail below, you should have the basic details needed to move with eradication of this virus in your environment. Due to the complexity of this particular virus, the needed steps will vary and at times will need to be repeated. Persistence and attention to detail are the characteristics you need to exhibit in this effort.
I found it most useful to take advantage of a clean system to perform some operations of cleanup for an infected system. My steps below follow this routine, but I caution you that the virus will attempt to infect any system that connects to an infected system – Make sure your anti-virus is up to date and functioning. For my workstation, I have disabled the Task Scheduler, Server, and Computer Browser services which helps reduce the ability of the virus reinfecting my workstation.
You will need certain Sysinternals tools to perform some tasks listed here. The
suite and individual tools are available free from Microsoft.
Find and Kill the Virus
On the infected system, launch ‘Task Scheduler’ and enable viewing of hidden tasks. Check for any randomly named task that runs a ZBZ file in the Windows Temp directory. Delete that task and the file from the computer. If no other tasks are running on the system, disabling the “Task Scheduler” service will reduce the chance of reinfection – Be sure to check for any system tasks that may be present as newer Windows versions use Task Scheduler for important system routines.
From your clean workstation, use the DIR command at a command prompt to check for the actual name of the virus files
SystemName\C$\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT
The folder name will be 4-10 characters, completely random letters and sometimes numbers. Inside this folder you will also see similarly named EXE and DLL files.
From your clean workstation, use PSLIST to view the running processes on the infected system.
Look for processes named similarly to the virus file name provided by the DIR command earlier. Kill those processes.
SystemName ProcessName -T
Now try deleting the virus files. If any of the EXE files will not delete or are recreated, then the virus is still running in memory. Retry the PSLIST and PSKILL commands. If any of the DLL files will not delete, then the virus has attached itself to another process and you will need to use Process Explorer on the infected system to move forward.
On the infected system, launch PROCEXP (Sysinternals Process Explorer) and review the processes running; you are looking for the virus process. It may not be running as a process, but instead it may be attached to another processes. Use the ‘Find’ tool to locate the processes which the virus has attached. Remember that DLL file that couldn’t be deleted? Type the full name of the file in the field and click ‘Search’.
Process Explorer will tell you every process which is using the virus file. You need to evaluate, very carefully, whether or not to Kill those processes. Typically, the process can be safely killed without having harmful effects on the system; but there are cases where the virus is attached to an essential process where killing it would result in inaccessibility or a system crash.
Now that you’ve killed the processes, you should be able to delete the remaining virus files. Don’t forget to delete those in the root of your boot volume (C:) and the Windows temporary folder.
Disable Penetration Points
The virus exploits certain routes of entry into a system. If these services are not needed on the system, like a user’s workstation, then disable them.
In a modern Windows Domain environment, with properly functioning DNS, the Server and Computer Browser services are not necessary on workstations and can be disabled. This is not the case on most servers; be careful in doing this on servers.
Get Anti-Virus Online
On the infected system, using Windows Explorer, navigate to the Program Files\Common Files folder. [For 64-bit systems, you may also need to perform these steps in the Program Files (x86)\Common Files folder.]
Go into the Properties of the common folder for your anti-virus product and modify the security settings:
Change the Owner of the folder, contents, and sub-folders to the systems Administrators
Enable “Include inheritable permissions…” for the folder and it’s subfolders
Symantec has published a tool that automatically does the above security changes on the Symantec Shared folders.
This is often all you need to get your anti-virus online – just start the service or launch the anti-virus from the Start menu. In some cases you may need to go into Control panel and perform a “Repair” installation of the anti-virus or reinstall it.
With your anti-virus product back online, launch its update utility to ensure the virus signatures are up to date, make sure automatic protection (on access scanning) is enabled and then run a FULL scan on your computer.
This, and many other viruses, take advantage of security holes in your operating system and applications. Be sure to regularly check for updates and install them.
As mentioned earlier in this article, if the Server, Computer Browser, and Task Scheduler services are not needed on your computer, then disable them. It will save your system some resources and help remove entry points for viruses.
It goes without saying, but I'll say it anyway - make sure you have a modern anti-virus/anti-malware solution installed and operational on your computer. It is essential to keep your signatures and updates current, plus schedule full scans of your system.
If you are not running your security software's firewall, then you should at least use Windows Firewall. An active firewall product will help prevent certain network intrusion upon your computer. Windows Firewall provides a basic firewall and is often sufficient, while firewall products bundled with your security software will often provide application access protection as well and may be easier to customize.
Independant Anti-virus Software Review
Communication is the key to success. Share Knowledge!