When executed, the worm copies itself into the following location:

• %Appdata%\microsoft\kxviad\kxviad.exe

And drops the following files

• %Appdata%\Microsoft\kxviad\q1.19181 [Detected as W32/Pinkslipbot]
• %Appdata%\Microsoft\kxviad\q1.20997 [Detected as W32/Pinkslipbot]
• %Appdata%\Microsoft\kxviad\q1.22006 [Detected as W32/Pinkslipbot]
• %Appdata%\Microsoft\kxviad\kxvia.dll

The following registry value has been added to the system

• HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  揷tfmon� = "%Appdata%\microsoft\kxviad\kxviad.exe"

The above mentioned registry entry confirms that the Bot executes every time when windows starts.

The following registry value has been modified

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  [Application Name] = ""%Appdata%\microsoft\kxviad\kxviad.exe" /c [Application path]

The above mentioned registry entry confirms that the Bot executes every time when windows starts.

Once the users system is compromised, the worm connects to the following sites to receive bot commands and to perform malicious activities.

• http://boogi[Removed]kid.com
• http://hos[Removed]r.com
• http://www.cdcd[Removed]sfdfd.com

And it steals the following system information

• ext_ip
• dnsname
• hostname
• country
• state
• city
• user
• domain
• is_admin
• os
• time
• qbot_version
• install_time

The worm creates a mutex object called 搆xvia� to mark its presence and creates the following configuration files

• crontab.cb
• updates.cb
• updates1.cb
• _qbot.cb

Also the worm monitors the following sites in the compromised system, when visited by the user.

• business-eb.ibanking-services.com
• treasury.pncbank.com
• access.jpmorgan.com
• ktt.key.com;onlineserv/CM
• premierview.membersunited.org
• directline4biz.com
• onb.webcashmgmt.com
• tmconnectweb
• moneymanagergps.com
• ibc.klikbca.com
• directpay.wellsfargo.com
• express.53.com
• itreasury.regions.com
• itreasurypr.regions.com
• cpw-achweb.bankofamerica.com
• businessaccess.citibank.citigroup.com
• businessonline.huntington.com

 [%Appdata%\ is C:\Documents and Settings\All Users\Application Data\]

-----------------------------------------------

Some variants of this bot are found to be using javascript to download

• q1.dll (W32/Pinkslipbot)
• q2l.exe (W32/Pinkslipbot)

This bot also creates a

•  _qbotjfiwrg.job (W32/Pinkslipbot!job)(to run the javascript periodically.)
• icsmg.js (JS/Downloader-AH)

Some variants of this bot drops a copy of itself and its components in the following directory:

• %all users profile%\_qbothome\_qbotinj.exe (W32/Pinkslipbot)
• %all users profile%\_qbothome\_qbot.dll (W32/Pinkslipbot!dll)

The following files are also created:

• %all users profile%\_qbothome\crontab.cb
• %all users profile%\_qbothome\q1.32672
• %all users profile%\_qbothome\updates.cb
• %all users profile%\_qbothome\_qbot.cb
• %all users profile%\_qbothome\_qbot_installed 

(Where %all users profile% is the Windows user profile folder, e.g. C:\Documents and Settings\All Users)

It Modifies existing autostart entries in the registry to automatically execute at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"[original application registry name]" = "[original application registry value]" ""%all users profile%\_qbothome\_qbotinj.exe" "%all users profile%\_qbothome\_qbot.dll" /c "[original application registry value]"

It then injects its dll component into iexplorer.exe.

It connects to the following domain to send information and receive commands.

• a.rtbn[blocked].cn
• zurnre[blocked].com
• w1.webinspect[blocked].biz
• ftp.eltawhee[blocked].com
• www.cdcdcdcdc2121cds[blocked].com

Information sent includes:

• network information
• geographic location
• keystroke logs

Commands received includes malware update and install additional malware in the system.