View my documents ()
 Home > Support > Global Security Advisor 

Virus Detail

Win32/Qoologic Family

Date Published:
22 Jun 2005

Last Updated:
5 Jul 2006

Threat Assessment

Overall Risk:   Very Low
Wild:  Low
Destructiveness:  Medium
Pervasiveness:  None

Characteristics

Type : Trojan

Category : Win32

Also known as:  W32/Downloader.BGT (F-Secure), TROJ_NARRATOR.A (Trend), Adware-Qoolaid (McAfee), TROJ_QOOLAID.A (Trend), Win32/Qoologic!DLL!Trojan, Win32/Qoologic!generic, Win32/Qoologic!generic, Win32/Qoologic.16384!DLL!Trojan, Win32/Qoologic.24576!DLL!Trojan, Win32/Qoologic.32768!Trojan, Win32/Qoologic.61952!Trojan, Win32.Qoologic.A, TROJ_QOOLOGIC.A (Trend), Win32.Qoologic.AB, Win32/Qoologic.AB, Win32.Qoologic.B, TROJ_QOOLOGIC.B (Trend), Win32/TrojanDownloader.Qoologic.B trojan (Pest Patrol), Win32.Qoologic.C, Win32/Qoologic.C!Trojan, Win32.Qoologic.D, Win32/Qoologic.D!Trojan, Win32.Qoologic.E, Win32.Qoologic.F, Win32.Qoologic.G, Win32/Qoologic.G!Trojan, Win32.Qoologic.H , Win32.Qoologic.I, Win32.Qoologic.J, Win32.Qoologic.K, Win32.Qoologic.L, Win32.Qoologic.M, Win32.Qoologic.N, Win32.Qoologic.O, Win32.Qoologic.P, Win32.Qoologic.Q, Win32.Qoologic.R, Win32.Qoologic.S, Win32.Qoologic.T, Win32.Qoologic.U, Adware-SAHAgent.dldr (McAfee), Win32/SillyDl.JE!Trojan, Trojan-Downloader.Win32.Qoologic.a (Kaspersky), Trojan-Downloader.Win32.Qoologic.b, Trojan-Downloader.Win32.Qoologic.d (Kaspersky), Trojan-Downloader.Win32.Qoologic.e (Kaspersky), TrojanDownloader.Win32.Qoologic.e (Pest Patrol), Trojan-Downloader.Win32.Qoologic.f (Kaspersky), Trojan-Downloader.Win32.Qoologic.i (Pest Patrol), Trojan-Downloader.Win32.Qoologic.l (Kaspersky), Trojan-Downloader.Win32.Qoologic.n (Kaspersky), Trojan-Downloader.Win32.Qoologic.o (Kaspersky), Downloader-YH.dr (McAfee)

Immediate Protection Info

 
 
 
Description
Method of Infection
Payload
 

Description

Win32.Qoologic is a family of trojans that contain limited backdoor functionality and are controlled via a downloaded XML configuration file. They also have the ability to hide their operation from other programs.

Back to top

Method of Infection

When executed, Qoologic trojans drop an executable file to the %Windows% or %System% directories using a filename generated from the hard disk serial number of the affected system.


The trojan then modifies the registry to execute this file at each Windows start. This modification varies slightly according to variant.


For example Qoologic.A makes the following modification:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Narrator = "%Windows%\<random filename>.exe"


while more recent variants use 'KavSvc' as a value name (for example):


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KavSvc = "%Windows%\<random filename>.exe"


Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.


These trojans also drop 2 DLLs which use the same method of filename generation as mentioned above for the executable.


One of these DLLs keeps itself registered as a service process that is used to initialize and maintain the activity of the second DLL which contains the core functionality of Qoologic.


Some variants also make a copy of the inital dropper in the
"%Documents and Settings%\All Users\Start Menu\Programs\Startup" directory.


Note: %Documents and Settings% is a variable location and refers to the current user's Documents and Settings folder. The malware determines the location of the current Documents and Settings folder by querying the operating system. A typical location for this folder would be: C:\Documents and Settings.


Back to top

Payload

Stealth

Qoologic trojans are able to hide processes/files/registry values from other programs.


Backdoor Functionality

Qoologic downloads an XML configuration file from a remote server that may contain a number of different commands, including:


  • Clear all pop-ups
  • Set foreground window
  • Remove programs/windows from the taskbar
  • Create full-screen pop-ups
  • Generate an exception (i.e. - crash a program)
  • Monitor its own hooks
  • Execute tasks from a remote server
  • Create pop-ups
  • Dump debug data to a remote server
  • Display a fake uninstalled message dialog
  • Update itself
  • Show a pop-up message
  • Monitor mouse clicks and keystrokes
  • Modify the user's registry

Note: Pop-ups are served from a remote web server


Qoologic variants have been associated with the following list of IP addresses/URLs:


updates.qoologic.com
u.clkoptimizer.com
66.63.167.77
69.93.10.214
dl.web-nexus.net
216.144.225.108
216.144.225.99
209.66.67.134
69.59.186.63


Hijacks/Redirects Internet Browsing

Qoologic hijacks (redirects) both Internet Explorer windows and those of any other browser which is based on Mozilla code (e.g. - Opera, Mozilla, Firefox, Netscape, etc).


Note: Early variants of this family achieved this by adding themselves as a BHO (browser helper object) as well, but later variants only hijack the browser processes directly.


Qoologic contains a list of URLs that are excepted from hijacking/redirecting. Variants A to F do not modify the following when they are located in the user's browser's address bar:


about:blank
ad.doubleclick.net
ad.trafficmp.com
adfarm.mediaplex.com
ads.addynamix.com
ads.bidclix.com
ads.clickagents.com
ads.delfinproject.com
ads1.revenue.net
adserv.internetfuel.com
advert.runescape.com
aim-charts.pf.aol.com
akapp.whenu.com
allaboutsearching.com
amch.questionmarket.com
ar.atwola.com
as.adwave.com
as.casalemedia.com
ayb.lop.com
bannerfarm.ace.advertising.com
banners.pennyweb.com
bannerserver.gator.com
by.optimost.com
c.qckjmp.com
Cannot find server
cdn-aimtoday.aol.com
cdn-cf.aol.com
cfg.mywebsearch.com
clickit.go2net.com
count.exitexchange.com
counters.honesty.com
ctl.twain-tech.com
delfinproject.com
download.abetterinternet.com
download.smileycentral.com
e.rn11.com
focusin.ads.targetnet.com
games.yahoo.com
hotmail.com
hotmail.msn.com
insider.msg.yahoo.com
jbns2.cydoor.com
jicmedia.cjt1.net
jmnad1.com
jnictech.cjt1.net
join1.winhundred.com
kill-pop-ups.com
license.hotbar.com
look2me.com
m2.doubleclick.net
m3.doubleclick.net
mail.yahoo.com
master.mx-targeting.com
media.fastclick.net
messenger.msn.com
mm.delfinproject.com
newupdates.lzio.com
odysseusmarketing.com
oz.valueclick.com
paypopup.com
pgq.yahoo.com
pops.browseraid.com
popuppers.com
popuptraffic.com
qksrv.net
radio.launch.yahoo.com
rightmedia.net
sandboxer.com
search200.com
searcheffect.com
servedby.adscpm.com
servedby.advertising.com
smileycentral.com
sr.adwave.com
sr.websearch.com
stopzilla.com
top-banners.com
topicks.com
tv.180solutions.com
us.update.companion.yahoo.com
v4.windowsupdate.microsoft.com
view.atdmt.com
weatherbug.com
web.icq.com
webpdp.gator.com
windowsupdate.microsoft.com
wisapidata.weatherbug.com
ww2.weatherbug.com
www4.yesadvertising.com
xadso.offeroptimizer.com
xadsq.offeroptimizer.com
xlime.offeroptimizer.com
xzoomy.com
zone.msn.com


Analysis by Paul Taylor


Back to top

Buy

Buy CA Anti-Virus

Large Enterprise
Small and Medium Business
Home and Home Office

CA Global Security Advisor

Current threat condition: Low
Low
Documents and Tools
Find Threats
Viruses Spyware
Vulnerabilities All

Security Resources

Analyst Reports

Gartner Magic Quadrant for Web Access Management
More

Events

RSA Conference 2010
CA World 2010
More

Insights

On-Demand Webcasts

Operate Lean with CA Compliance Manager for z/OS
Analyst Webcast: Privileged User Access- Gaining Powerful Control of Powerful Users
More

Press

CA Enables Growth of Open Source for the Enterprise
CA Helps Secure Louisiana Rural Health Information Exchange

News

How to Improve Cloud Security in Your Enterprise
Cloud Security: Ten Questions to Ask Before You Jump In
More
 
 
Page Tools
ShareShare