Home / malware Trojan:Win32/Qhost.IF
First posted on 29 October 2013.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Qhost.IF.
Explanation :
Threat behavior Trojan:Win32/Qhost.IF is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Installation
When it runs, Trojan:Win32/Qhost.IF copies itself to <system folder>\msnmsgr.scr. The malware creates the following files on your PC:
- <system folder>\vvuacult.scr
- c:\users.txt
- c:\documents and settings\administrator\application data\microsoft\internet explorer\quick launch\internet explorer.lnk
- c:\documents and settings\administrator\desktop\internet explorer.lnk
- c:\documents and settings\administrator\start menu\programs\startup\messenger.lnk
Payload
Modifies Hosts file
Trojan:Win32/Qhost.IF modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).
This malware description was produced and published using our automated analysis system's examination of file SHA1 db3585a62cccdf54c8f8e0112a90b4c9fcfad942.Symptoms
System changes
The following could indicate that you have this threat on your PC:
<system folder>\msnmsgr.scr
- The presence of the following files:
<system folder>\vvuacult.scr
c:\users.txt
c:\documents and settings\administrator\application data\microsoft\internet explorer\quick launch\internet explorer.lnk
c:\documents and settings\administrator\desktop\internet explorer.lnk
c:\documents and settings\administrator\start menu\programs\startup\messenger.lnkLast update 29 October 2013
