Home / malwarePDF  

Trojan:BAT/Qhost.AF


First posted on 19 February 2013.
Source: Microsoft

Aliases :

Trojan:BAT/Qhost.AF is also known as Trojan/Win32.Qhost (AhnLab), W32/Qhost.M.gen!Eldorado (Command), W32/Bicololo.AYD (Norman), Trojan.Hosts.6838 (Dr.Web), Win32/Bicololo.A trojan (ESET).

Explanation :



Installation

You may receive Trojan:BAT/Qhost.AF as an attachment to a spammed email. It may arrive as an attachment in a ZIP file. The attachment may have a file name similar to any of the following:

  • GOLAYA-BABE.exe
  • GOLAYA-DEVOCHKA.exe
  • GOLAYA-TOPLESS.exe
  • GOLAYA-PHOTO.exe


When run, it may install the following files:

  • %ProgramFiles%\fringe wedge\bovine leather\fruit\howtocut.mango - configuration file
  • %ProgramFiles%\fringe wedge\bovine leather\kokos\stonefruitbelongingtothegenusmangifera.bat - detected as Trojan:BAT/Qhost.AF
  • %ProgramFiles%\fringe wedge\bovine leather\fruit\howtogrowmangofruit.vbs - detected as Trojan:BAT/Qhost.AF
  • %ProgramFiles%\fringe wedge\bovine leather\fruit\removingtheseedfromamangofruitr.vbs - detected as Trojan:BAT/Qhost.AF


Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files".

Some variants may install files similar to the following:

  • %ProgramFiles%\interesting\interesting\baaaaa.bat
  • %ProgramFiles%\interesting\interesting\prikol.jpg
  • %ProgramFiles%\interesting\interesting\b.exe or %ProgramFiles%\interesting\interesting\ping-pong.exe


It then runs these files. If it installs a JPG file, it displays that image. This file may contain adult content.



Payload

Downloads other malware

Trojan:BAT/Qhost.AF (in the form of the VBS file) tries to connect to the following servers using various ports (such as 1999 and 45612) to download other malware:

  • 199.241.191.138
  • 46.166.158.22
  • 46.166.160.102
  • 94.249.188.104


Redirects Internet traffic through other websites

Trojan:BAT/Qhost.AF (in the form of the BAT file) changes the contents of your computer's HOSTS file so that your Internet traffic goes through the following websites:

  • m.my.mail.ru
  • m.odnoklassniki.ru
  • m.ok.ru
  • m.vk.com
  • my.mail.ru
  • odnoklassniki.ru
  • ok.ru
  • vk.com




Analysis by Patrik Vicol

Last update 19 February 2013

 

TOP

Malware :

Family: