Home / malware Trojan:Win32/Qhosts.AY
First posted on 29 October 2012.
Source: MicrosoftAliases :
Trojan:Win32/Qhosts.AY is also known as QHosts-155 (McAfee), Trojan.Bat.Qhost (Ikarus), Trojan/Win32.Qhost (AhnLab), Win32/Bicololo.A (ESET), Trojan.ADH.2 (Symantec), Trojan.BAT.Qhost.py (Kaspersky), Trojan.Qhost.4158 (Dr.Web), W32/Qhost.LNS (Norman).
Explanation :
Trojan:Win32/Qhosts.AY is a trojan that redirects your web browser away from certain sites and may download additional malware onto your computer.
Some variants may show images that display adult content in an attempt to hide their payload.
Installation
The trojan is usually downloaded onto your computer by other malware.
Some sample file names also indicate that it may be sent via spam messages or through P2P (peer-to-peer) sharing, using social engineering techniques.
In the wild, we have observed the following file names being used for the trojan:
- kak-nezametno-usipit-cheloveka-text.doc.exe
- kak-oboyti-kerio-control-text.doc.exe
- Keygen_badcopy_pro_4_10_1215.exe
- krutova_640x480.scr
- photo_640x480.scr
- Setup.exe
When run, Trojan:Win32/Qhosts.AY creates a folder path in the %ProgramFiles% folder in the format "<letter_number>\<letter_number>". We have observed the following folder paths:
- %ProgramFiles%\j1\j1
- %ProgramFiles%\s1\s1
Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files".
Trojan:Win32/Qhosts.AY then creates the following three files in the folder path:
- A batch file (BAT), which alters your computer's Hosts file and may be detected as Trojan:BAT/Qhost.Z
- Either one of the following files:
- A text file (TXT) file, from which the trojan obtains additional information about the server it connects to, or
- An image file (JPG), which the trojan uses to hide the process of altering the Hosts file
- An executable file (EXE), which connects to a remote server to report the trojan's infection and download additional files (this executable is also detected as Trojan:Win32/Qhosts.AY)
It uses a predefined list for the names of the files; the list changes between variants.
In the wild, we have observed the following three sets of folder and file names:
- For one variant, we observed:
- %ProgramFiles%\s1\s1\kuda_katitsa_mir.bat
- %ProgramFiles%\s1\s1\ludi_kak_oleni.jpg
- %ProgramFiles%\s1\s1\lublu_vinograd.exe
- For a second variant, we observed:
- %ProgramFiles%\s1\s1\p.txt
- %ProgramFiles%\s1\s1\444444.bat
- %ProgramFiles%\s1\s1\666666.exe
- For a third variant, we observed:
- %ProgramFiles%\j1\j1\ko.txt
- %ProgramFiles%\j1\j1\lomai_manya.bat
- %ProgramFiles%\j1\j1\ya_hoshu_4tobi_ti_lomal_menya.exe
Payload
Modifies the Hosts file
Trojan:Win32/Qhosts.AY modifies the Windows Hosts file in order to redirect specified URLs to different IP addresses.
When run, the trojan loads the batch file that it created during installation. This batch file alters your computer's Hosts file and may be detected as Trojan:BAT/Qhost.Z.
To hide the running of the batch file, the trojan displays the image file.
The trojan redirects your web browser away from the following sites:
- m.my.mail.ru
- m.odnoklassniki.ru
- m.ok.ru
- m.vk.com
- my.mail.ru
- odnoklassniki.ru
- ok.ru
- vk.com
- vk.com
- www.odnoklassniki.ru
We have observed the trojan redirecting traffic from those sites to the following addresses:
- 94.242.221.200
- 96.45.190.64
- 108.161.129.37
Contacts remote hosts
Trojan:Win32/Qhosts.AY runs the executable file it creates during installation. The executable file, also detected as Trojan:Win32/Qhosts.AY, attempts to connect to the address "hxxp://<IP address>/stat/tuk" to report its infection and download additional files onto your computer, where <IP address> is one of the following:
- 46.166.160.13:45612
- 94.249.188.104:45612
If a TXT file is also created by Trojan:Win32/Qhosts.AY during its installation, the trojan will connect to "hxxp://94.249.188.104:45612/stat/tuk/<remote folder>", where the <remote folder> is identified in the TXT file, for example "hxxp://94.249.188.104:45612/stat/tuk/143".
Additional information
The trojan uses the Windows Sockets API, or Winsock, to connect to the remote hosts.
Related encyclopedia entries
Trojan:BAT/Qhost.Z
Analysis by Patrik Vicol
Last update 29 October 2012