Home / malware Trojan:Win32/Koobface.A
First posted on 16 June 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Koobface.A is also known as Trojan.Qhost.824 (Dr.Web), Win32/Qhost.NRK (ESET), Trojan.Win32.Qhost.mky (Kaspersky), Generic Qhost!y (McAfee), W32/Atraps.AABD (Norman), Trojan.Chost (Symantec), TROJ_QHOST.VZ (Trend Micro), Trojan.Qhost.DDC (VirusBuster).
Explanation :
Trojan:Win32/Koobface.A is a trojan component of Win32/Koobface that replaces the local hosts file.
Top
Trojan:Win32/Koobface.A is a trojan component of Win32/Koobface that replaces the local hosts file. InstallationThis trojan component is installed by other variants of Win32/Koobface, a multi-component family of malware used to compromise computers and direct them in various ways to an attacker's will. This could include using the affected computer to distribute additional malware, generate "pay-per-click" advertising revenue and other activities. When run, this trojan drops a file as the following: c:\1.tmp - Trojan:Win32/Koobface.A The dropped file is then run. Payload Replaces hosts fileTrojan:Win32/Koobface.A replaces the contents of the hosts file with the following: <IP address> uuu20091124.info Where "<IP address>" is "85.13.206.114". The hosts file is commonly stored as the following: %windir%\system32\drivers\etc\hosts. The trojan then deletes itself. Additional InformationFor more information about Win32/Koobface, see the description elsewhere in our encyclopedia.
Analysis by Tim LiuLast update 16 June 2010
