Saturday, July 26, 2014

QPST 2.7 review by AnycallMongolia

ASALAMUALAIKUM WR WB


Hello, fellow QPST users.

QPST 2.7 Build 4.2.2 is a fake version with keylogger.
Some a$$hole downloaded latest public QPST build (4.0.2) and decompiled MSI installer package, then edited all "4.0.2" to "4.2.2", added "fake changelog", added keylogger (qualcomm.exe), then repackaged and spread around web!

Everyone who downloaded QPST build "4.2.2" should change all his passwords.

More info about malware from fake 4.2.2 build (QPST.2.7.422.msi)
MSI package (QPST.2.7.422.msi) was embedded/tampered with qualcomm.exe which is a .NET based malware that logs your keystrokes and sends it to attacker's server.

How to delete the actual malware from your system?
Look at the startup from msconfig or CCleaner, there should be a file called qualcomm.exe thats set to start everytime system starts. Delete both registry and file.

If you wanted to see what data thief was stolen from you. Just open the .dc file (in "dclogs" folder) with Notepad and see for yourself.
In XP, dc file is located here!
C:\Documents and Settings\Administrator\Application Data\dclogs
there should be a file called "201X-XX-XX-X.dc
if you open that DC files with Notepad, you'll see all your keystrokes.

Here is mine. I've intentionally entered paypal site with fake info.

:: Run (3:01:51 AM)
Script kiddie. NET Based malware, huh?[ESC]

:: Program Manager (3:02:14 AM)
e

:: Firefox (3:02:18 AM)

www.paypal.com

johhny193@yahoo.com[TAB]
mypaypalpass
[ENTER]


:: Documents and Settings (3:02:19 AM)
[UP]



:: Administrator (3:02:28 AM)
[DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
[DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
d

:: (3:02:34 AM)


:: Administrator (3:02:34 AM)
d

:: (3:03:11 AM)
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

:: [Release] QPST 2.7 BUILD 422 - Download Here - Enjoy - Mozilla Firefox (3:03:57 AM)
crap


How to delete?d

:: Clipboard Change : size = 16 Bytes (3:03:57 AM)
QPST.2.7.422.msi

:: (3:04:23 AM)
cccccc

Keylogger sends the logs from keylogger to "qpst.hopto.me"

So please report about this incident where and when you encounter QPST 4.2.2 somewhere (forums, posts, sharing-sites, etc)
Copy my whole post and paste it where you see 4.2.2 mentioned.


Bonus: Fake Changelog
If you've installed this 422 build, then open the Readme.txt in C:\Program Files\Qualcomm\QPST\Documents
Scroll down and see the "6/12/13 QPST 2.7.422 changelog"
6/12/13 QPST 2.7.422
1) EFS Hello commands will not be sent unless the device is in a compatible mode. Sending this command when the
device is in download mode can cause a "server busy" message for a few seconds because of command retries.
2) Support for the Sahara device protocol (see 80-N1008-1 or equivalent) is now built in to the QPST server process.
This protocol is only supported by USB Serial ports, not TCP/IP connections. In QPST Configuration a device in
this mode will display as "Q/QCP-XXX (Sahara Download)". This mode can only be detected (1) when the QPST server
process starts or a COM port in this mode added to QPST, or (2) when a device enters Sahara mode on a port assigned
to QPST. This is because the device only sends its Hello message once, as soon as the COM port is opened.
Changelog above is actually cloned from QPST 2.7.394 Just scroll down and see Build 2.7.394 changelog. Its same!

So forget about Build 422. It doesn't exist.
Use QPST 2.7 Build 402. It's the latest public build

Sorry about my english

Best Regards
AnycallMongolia 
 

wasalamualaikum wr wb

Arek NGAJUM IsoIso Ae [ The Fully Fuckin' Headache Lion ]