Home / malware Trojan.Qhost.WU
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Qhost.WU is also known as Trojan.Win32.Qhost.wu, Trojan.Qhost.45077, W32/Trojan2.JRR, W32/Qhost.WU!tr, TR/Qhost.WU, Win32:Qhost-BGZ, [Trj].
Explanation :
Google Adsense is a service offered by Google which places advertisements in web pages. The advertisements are targeted (meaning that they are in concordance with the topic of the webpage), making them more effective. The revenue from every click on the advertisements is shared between Google and the webpage owner.
The embedding of the advertisements is done by including a small piece of HTML / JavaScript (provided by Google) in the webpages which should present the advertisements by the webmaster. This code contacts the Google Adsense servers which delivers the targeted advertisements.
This malware uses the "hosts" file (located in the "%WINDIR%System32driversetc" directory) to redirect the initial query to the Google Adsense servers to a malicious host. This file is used as a first step in the name / IP translation process and if an entry is located in this file, the domain name server is not queried. The malware creates an entry redirecting pagead2.googlesyndication.com to a rogue server.
This server, rather than displaying advertisements from Google, display advertisements from a third party services. This damages both users (because the advertisements and/or the linked sites may contain malicious code - a very likely situation, given that they are promoted using malware in the first place) and webmasters (because they take away viewers and thus possible money sources from their websites).Last update 21 November 2011