Home / malware Trojan:Win32/QHosts.BF
First posted on 23 January 2013.
Source: MicrosoftAliases :
Trojan:Win32/QHosts.BF is also known as Trojan.Hosts.6582 (Dr.Web), Trojan.VBS.Downloader (Ikarus), Trojan.Win32.Qhost.aexv (Kaspersky), Trojan/Win32.Qhost (AhnLab), Win32/Bicololo.A trojan (ESET), winpe/Qhost.MCF (Norman).
Explanation :
Trojan:Win32/Qhosts.BF is usually downloaded onto your computer by other malware.
Some sample file names emply social engineering techniques, which indicates that the trojan may also be sent via spam messages, obtained through P2P (peer-to-peer) sharing, or downloaded from unreliable gaming or cheat websites.
In the wild, we have observed the following file names being used for the trojan:
- _programma_slava_petuhu_v1.exe
- golosaVK.exe
- morozko-myzikl-scenariy.exe
- Naruto_Shippuuden.rar
- odnoklassniki.exe
- referat-na-temu-profilaktika.doc.exe
- sbornik_gdz_i_kursovih_rabot.exe
- volshebnaya-shlyapa-konkurs-narezki.exe
We have also observed the trojan contained in archives with the following names:
- cheats.rar
- Dota.rar
- Sai_250_resanta_shema.zip
- sbornik_audioknig.zip
- Sims3_mod.rar
- wihack.zip
Installation
When run, Trojan:Win32/Qhosts.BF drops the following four files into a folder that it creates in the %ProgramFiles% folder:
- A batch file (BAT), which alters your computer's Hosts file
- A text file (TXT) file, from which the trojan obtains additional information about the remote server it connects to
- A visual basic script (VBS) file, which is used to read the text file and contact the remote server
- A second visual basic script while, which is used to open your computer's Hosts file
The names of the files and folders changes between variants of Trojan:Win32/Qhosts.BF. For example, we have observed the following two sets of folder and file names:
- For one variant, we observed:
- %ProgramFiles%\ltd-kids\ltds\molsoko.bat
- %ProgramFiles%\ltd-kids\ltds\papko.txt
- %ProgramFiles%\ltd-kids\ltds\kalanko_poligon.vbs
- %ProgramFiles%\ltd-kids\ltds\zizn_eto_gagarinl.vbs
- For a second variant, we observed:
- %ProgramFiles%\limo\timo\gnedodelr.vbs
- %ProgramFiles%\limo\timo\kols.txt
- %ProgramFiles%\limo\timo\palirkonkod.vbs
- %ProgramFiles%\limo\timo\zkolapsssss.bat
Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files".
Payload
Modifies the Hosts file
When run, Trojan:Win32/Qhosts.BF alters your computer's Hosts file, which Windows uses to determine the addressess of websites.
The trojan does this so that your web browser is redirected away from the following sites:
- m.my.mail.ru
- m.odnoklassniki.ru
- m.ok.ru
- m.vk.com
- my.mail.ru
- odnoklassniki.ru
- ok.ru
- vk.com
- www.odnoklassniki.ru
We have observed the trojan redirecting traffic from those sites to the following addresses:
- 108.170.38.201
- 173.44.34.125
- 192.157.49.4
- 69.197.136.105
- 75.102.8.33
- 94.242.214.151
- 94.242.221.93
- 96.45.190.45
Contacts remote hosts
Trojan:Win32/Qhosts.BF attempts to connect to the address "hxxp://<IP address>/<removed>/tuk" to report its infection and download additional files onto your computer, where <IP address> is one of the following:
- 199.241.191.138:1335
- 94.248.188.143:9007
The trojan will also connect to "199.241.191.138:1335/<removed>/tuk/<remote folder>", where the <remote folder> is identified in the TXT file, for example "199.241.191.138:1335/<removed>/stat/tuk/288".
Analysis by Jeong Mun
Last update 23 January 2013