Home / malware Trojan:BAT/Qhost.AF
First posted on 19 February 2013.
Source: MicrosoftAliases :
Trojan:BAT/Qhost.AF is also known as Trojan/Win32.Qhost (AhnLab), W32/Qhost.M.gen!Eldorado (Command), W32/Bicololo.AYD (Norman), Trojan.Hosts.6838 (Dr.Web), Win32/Bicololo.A trojan (ESET).
Explanation :
Installation
You may receive Trojan:BAT/Qhost.AF as an attachment to a spammed email. It may arrive as an attachment in a ZIP file. The attachment may have a file name similar to any of the following:
- GOLAYA-BABE.exe
- GOLAYA-DEVOCHKA.exe
- GOLAYA-TOPLESS.exe
- GOLAYA-PHOTO.exe
When run, it may install the following files:
- %ProgramFiles%\fringe wedge\bovine leather\fruit\howtocut.mango - configuration file
- %ProgramFiles%\fringe wedge\bovine leather\kokos\stonefruitbelongingtothegenusmangifera.bat - detected as Trojan:BAT/Qhost.AF
- %ProgramFiles%\fringe wedge\bovine leather\fruit\howtogrowmangofruit.vbs - detected as Trojan:BAT/Qhost.AF
- %ProgramFiles%\fringe wedge\bovine leather\fruit\removingtheseedfromamangofruitr.vbs - detected as Trojan:BAT/Qhost.AF
Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files".
Some variants may install files similar to the following:
- %ProgramFiles%\interesting\interesting\baaaaa.bat
- %ProgramFiles%\interesting\interesting\prikol.jpg
- %ProgramFiles%\interesting\interesting\b.exe or %ProgramFiles%\interesting\interesting\ping-pong.exe
It then runs these files. If it installs a JPG file, it displays that image. This file may contain adult content.
Payload
Downloads other malware
Trojan:BAT/Qhost.AF (in the form of the VBS file) tries to connect to the following servers using various ports (such as 1999 and 45612) to download other malware:
- 199.241.191.138
- 46.166.158.22
- 46.166.160.102
- 94.249.188.104
Redirects Internet traffic through other websites
Trojan:BAT/Qhost.AF (in the form of the BAT file) changes the contents of your computer's HOSTS file so that your Internet traffic goes through the following websites:
- m.my.mail.ru
- m.odnoklassniki.ru
- m.ok.ru
- m.vk.com
- my.mail.ru
- odnoklassniki.ru
- ok.ru
- vk.com
Analysis by Patrik Vicol
Last update 19 February 2013