{
	"id": "0d5d6f92-3a97-4efb-9441-d901392867f1",
	"created_at": "2026-04-06T00:11:53.409609Z",
	"updated_at": "2026-04-10T03:20:05.004038Z",
	"deleted_at": null,
	"sha1_hash": "9d3e7b254e2781bc809e05839a3e77a39c839ece",
	"title": "W32.Qakbot | Symantec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 137931,
	"plain_text": "W32.Qakbot | Symantec\r\nArchived: 2026-04-05 18:55:04 UTC\r\nW32.Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files,\r\nsteals information, and opens a back door on the compromised computer. The worm also contains rootkit\r\nfunctionality to allow it to hide its presence.\r\nInfection\r\nW32.Qakbot spreads by exploiting vulnerabilities when a user visits certain Web pages. Exploit code hosted at\r\nthese remote locations downloads the threat on to the compromised computer. Many of the infections are aided by\r\nusers unwittingly clicking on malicious links. As more and more threats make use of the Web to spread, the clearer\r\nit becomes that Every Click Matters.\r\nThe worm also spreads through network shares by copying itself to shared folders when instructed to by a remote\r\nattacker. It also copies itself to removable drives.\r\nFunctionality\r\nWhile W32.Qakbot has multiple capabilities, its ultimate goal is clearly theft of information. Identification theft is\r\nbig business in the underground world of cybercrime and the more data a threat can steal, the bigger the profit that\r\ncan be made. W32.Qakbot is capable of gathering a number of different kinds of information, including the\r\nfollowing confidential information:\r\nAuthentication cookies, including Flash cookies\r\nDNS, IP, hostname details\r\nOS and system information\r\nGeographic and browser version information\r\nKeystrokes including login information\r\nLogin details for FTP, IRC, POP3 email, and IMAP email\r\nOutlook account information\r\nPrivate keys from system certificates\r\nLogin credentials for certain websites\r\nURLs visited\r\nCybercrime is big business, and it is real crime. The U.S. Dept. of Treasury reports that cybercrime has surpassed\r\nillegal drug trafficking as a criminal money maker, with one in five people becoming a victim. With the profits\r\noften in the millions of dollars, it takes very little effort for a cybercriminal to set up an operation, steal identities\r\nand begin selling. Just a small glimpse of what is possible -- or, say, an Introduction to the Black Market -- can\r\ngive the average internet user an idea of the insidious nature of cybercrime.\r\nThere is a funny credit card television ad that features barbarians running around using the credit card and the tag-line is \"What's in your wallet?\" You can almost hear the cybercriminals asking themselves, \"What’s on your\r\nhttps://web.archive.org/web/20151026140427/https://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99\r\nPage 1 of 4\n\ncomputer?\" If you have a computer, you're at risk, which means that assessing your level of risk is always a good\r\nidea.\r\nOnce stolen, login details, credentials from particular websites, passwords, financial information and other\r\npersonally identifiable information can be sold on the black market. Ultimately, that ends in identity theft. The\r\nmost often used technique, keylogging, attempts to provide as much data as possible; the more details about the\r\nuser that end up in the hands of the remote attacker, the bigger the Black Market Keylogging profit.\r\nWhite paper: W32.Qakbot in Detail\r\nSymantec have published a white paper probing deeper into the worm to reveal its inner workings. To find out\r\nmore about this worm, download a copy of the paper: W32.Qakbot in Detail.\r\nGEOGRAPHICAL DISTRIBUTION\r\nSymantec has observed the following geographic distribution of this threat.\r\nPREVALENCE\r\nSymantec has observed the following infection levels of this threat worldwide.\r\nhttps://web.archive.org/web/20151026140427/https://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99\r\nPage 2 of 4\n\nSYMANTEC PROTECTION SUMMARY\r\nThe following content is provided by Symantec to protect against this threat family.\r\nAntivirus signatures\r\nW32.Qakbot\r\nAntivirus (heuristic/generic)\r\nPacked.Cupx!gen2\r\nPacked.Cupx!gen3\r\nPacked.Cupx!gen4\r\nPacked.Cupx!gen5\r\nPacked.Generic.276\r\nPacked.Generic.304\r\nPacked.Generic.308\r\nPacked.Generic.368\r\nSONAR.Qakbot!gen1\r\nW32.Qakbot!conf\r\nW32.Qakbot!conf2\r\nW32.Qakbot!conf3\r\nW32.Qakbot!gen1\r\nW32.Qakbot!gen2\r\nW32.Qakbot!gen3\r\nW32.Qakbot!gen4\r\nW32.Qakbot!gen5\r\nW32.Qakbot!gen6\r\nW32.Qakbot!gen7\r\nW32.Qakbot!gen8\r\nW32.Qakbot!html\r\nW32.Qakbot!job\r\nW32.Qakbot!zip\r\nBrowser protection\r\nSymantec Browser Protection is known to be effective at preventing some infection attempts made through the\r\nWeb browser.\r\nIntrusion Prevention System\r\nMSIE Apple QuickTime RTSP URI Remote BO\r\nSystem Infected: W32.Qakbot Activity\r\nSystem Infected: W32.Qakbot Activity 2\r\nhttps://web.archive.org/web/20151026140427/https://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99\r\nPage 3 of 4\n\nSystem Infected: W32.Qakbot FTP Activity\r\nSystem Infected: W32.Qakbot FTP Activity 3\r\nHTTP W32 QakBot File Download Activity\r\nMSIE ADODB.Stream Object File Installation Weakness\r\nHTTP Trojan IRCBot Activity\r\nSymantec Endpoint Protection – Application and Device Control\r\nSymantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec\r\nEndpoint Protection to protect against the activities associated with this threat. ADC policies are useful in\r\nreducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs\r\nthat are run on a computer.\r\nThis particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating\r\nits ability to spread from one computer to another. If you are experiencing an outbreak of this threat on your\r\nnetwork, please download the policy by right-clicking the link, choosing your browser's \"save as\" option, and\r\nsaving the file as \"W32.Qakbot.dat\".\r\nTo use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to\r\nclient computers, we recommend using it in Test (log only) mode initially in order to determine the possible\r\nimpacts of the policy on normal network/computer usage. After observing the policy for a period of time, and\r\ndetermining the possible consequences of enabling it in your environment, deploy the policy in Production mode\r\nto enable active protection.\r\nFor more information on ADC and how to manage and deploy them throughout your organization, please refer to\r\nthe Symantec Endpoint Protection Administration Manual (PDF).\r\nNote: The ADC policies developed by Security Response are recommended for use in outbreak situations. While\r\nuseful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.\r\nClick here for a more detailed description of Rapid Release and Daily Certified virus definitions.\r\nSource: https://web.archive.org/web/20151026140427/https://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99\r\nhttps://web.archive.org/web/20151026140427/https://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20151026140427/https://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99"
	],
	"report_names": [
		"writeup.jsp?docid=2009-050707-0639-99"
	],
	"threat_actors": [],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d3e7b254e2781bc809e05839a3e77a39c839ece.pdf",
		"text": "https://archive.orkl.eu/9d3e7b254e2781bc809e05839a3e77a39c839ece.txt",
		"img": "https://archive.orkl.eu/9d3e7b254e2781bc809e05839a3e77a39c839ece.jpg"
	}
}