Home / malwarePDF  

Trojan.Clicker.Qhost.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Clicker.Qhost.A is also known as Trojan.StartPage, CoolWebSearch, Browser, Modifier.Trojan.StartPage.

Explanation :

When executed, the malware changes MSIE's start page;

"%SYSTEM%\drivers\etc\hosts" is added the line: "645238813 auto.search.msn.com";

In folder "%WINDIR%\Web" is created file "oslogo.bmp", which contains a script that redirects IE to it's own page.

The next registry keys are added / modified :

HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Styles\Use My Stylesheet
HKCU\Software\Microsoft\Internet Explorer\Styles\User Stylesheet
HKCU\Software\Microsoft\Internet Explorer\Search
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\SOFTWARE\Microsoft\Internet Explorer\Styles\Use My Stylesheet
HKLM\SOFTWARE\Microsoft\Internet Explorer\Styles\User Stylesheet
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search

Last update 21 November 2011

 

TOP

Malware :

Family: