This trojan modifies the HOSTS file to prevent access to antivirus related sites and services.

It Creates the following file:

• %windir%system32iklvb.dll - Trojan.Win32.Qhost.it

It creates the following registry keys as its autostart-mechanism:

• HKLMSOFTWAREClassesCLSID{2C1CD3D7-86AC-4068-93BC-A02304B60787}
• HKLMSOFTWAREClassesCLSID{2C1CD3D7-86AC-4068-93BC-A02304B60787}InProcServer32
  (default) = C:WINDOWSsystem32iklvb.dll
• HKLMSOFTWAREClassesCLSID{2C1CD3D7-86AC-4068-93BC-A02304B60787}InProcServer32
  ThreadingModel = Apartment
• HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
  {2C1CD3D7-86AC-4068-93BC-A02304B60787} = DCOM Server 60787
• HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
  DCOM Server 60787 = {2C1CD3D7-86AC-4068-93BC-A02304B60787}
  

It modifies the HOSTS file to prevent antivirus products from receiving updates. It points the update site to localhost.

• 127.0.0.1 avp.com
• 127.0.0.1 ca.com
• 127.0.0.1 customer.symantec.com
• 127.0.0.1 dispatch.mcafee.com
• 127.0.0.1 download.mcafee.com
• 127.0.0.1 downloads1.kaspersky-labs.com
• 127.0.0.1 downloads2.kaspersky-labs.com
• 127.0.0.1 downloads3.kaspersky-labs.com
• 127.0.0.1 downloads4.kaspersky-labs.com
• 127.0.0.1 liveupdate.symantec.com
• 127.0.0.1 liveupdate.symantecliveupdate.com
• 127.0.0.1 mast.mcafee.com
• 127.0.0.1 networkassociates.com
• 127.0.0.1 rads.mcafee.com
• 127.0.0.1 secure.nai.com
• 127.0.0.1 securityresponse.symantec.com
• 127.0.0.1 sophos.com
• 127.0.0.1 updates.symantec.com
• 127.0.0.1 us.mcafee.com
• 127.0.0.1 viruslist.com
• 127.0.0.1 www.avp.com
• 127.0.0.1 www.ca.com
• 127.0.0.1 www.f-secure.com
• 127.0.0.1 www.kaspersky.com
• 127.0.0.1 www.mcafee.com
• 127.0.0.1 www.my-etrust.com
• 127.0.0.1 www.nai.com
• 127.0.0.1 www.networkassociates.com
• 127.0.0.1 www.sophos.com
• 127.0.0.1 www.symantec.com
• 127.0.0.1 www.trendmicro.com
• 127.0.0.1 www.viruslist.com

Last update 20 June 2007

 

TOP