Home / malwarePDF  

Win32/Qhost


First posted on 17 October 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Qhost.

Explanation :

Threat behavior

Installation

Win32/Qhost is usually installed in your computer by drive-by exploits or other malware. It can also be downloaded from peer-to-peer (P2P) networks or by spam emails.

Win32/Qhost has been known to use any of these file names (note that the list is not exhaustive):

  • 360loader.exe
  • _programma_slava_petuhu_v1.exe
  • golaya-babe.exe
  • golaya-devochka.exe
  • golaya-photo.exe
  • golaya-topless.exe
  • golosavk.exe
  • kak-nezametno-usipit-cheloveka-text.doc.exe
  • kak-oboyti-kerio-control-text.doc.exe
  • keygen_badcopy_pro_4_10_1215.exe
  • krutova_640x480.scr
  • morozko-myzikl-scenariy.exe
  • naruto_shippuuden.rar
  • odnoklassniki.exe
  • photo_640x480.scr
  • referat-na-temu-profilaktika.doc.exe
  • sbornik_gdz_i_kursovih_rabot.exe
  • setup.exe
  • themes.exe
  • volshebnaya-shlyapa-konkurs-narezki.exe


Payload

Changes the contents of the Hosts file

Win32/Qhost changes the contents of the Hosts file so that you are either:

  • Redirected to another server when you try to search the Internet (for example, Trojan:JS/Qhost.C)
  • Redirected to another server when you try to access banking websites (for example, Trojan:Win32/Qhost.BI and Trojan:Win32/Qhost.CU)
  • Redirected to another server when you try to access money services websites (for example, Trojan:Win32/Qhost.AV)
  • Cannot access security websites or Windows Update
  • Notified that a website certificate is invalid


Sample changes to your Hosts file are the following:

127.0.0.1 updates. microsoft.com - this change blocks access to Microsoft updates
1.2.3.4 www.bb.com.br - this change redirects traffic from the Banco do Brasil website to the IP address 1.2.3.4
These changes redirect access to the specified .ru websites to the IP address 192.157.49.9
192.157.49.9 my.mail.ru
192.157.49.9 m.my.mail.ru
192.157.49.9 vk.com
192.157.49.9 ok.ru
192.157.49.9 m.vk.com
192.157.49.9 odnoklassniki.ru
192.157.49.9 vk.com
192.157.49.9 www.odnoklassniki.ru
192.157.49.9 m.odnoklassniki.ru
192.157.49.9 ok.ru
192.157.49.9 m.ok.ru
192.157.49.9 www.odnoklassniki.ru

Other payloads

Win32/Qhost might have other malicious actions, depending on the variant. These actions include:

  • Displaying an image to the user, in an attempt to disguise the Hosts file changes (for example, Trojan:Win32/Qhosts.AY)
  • Changing the Internet Explorer start page (for example, Trojan:JS/Qhost.C)
  • Rerouting browser access to the Internet through a specific server controlled by a hacker (for example, Trojan:JS/Qhost.C)
  • Running automatically every time Windows starts (for example, Trojan:Win32/Qhost.HC)
  • Running automatically every time Windows starts (for example, Trojan:Win32/Qhost.HC and Trojan:Win32/Qhost.JS)
  • Connecting to a remote server, either to keep track of how many computers in the world are infected, or to notify a hacker (for example, Trojan:Win32/Qhost.HA)
  • Spreading through peer-to-peer networks by using enticing file names to lure users into downloading it (for example, Trojan:Win32/Qhosts.AY)
  • Installing other malware (for example, Trojan:BAT/Qhost.AF)


Other information

The Qhost family targets different platforms. It can run as a script file (BAT, VBS, or JS), or as an executable (Win32).



Analysis by Patrik Vicol

Symptoms

The following could indicate that you have this threat on your PC:

  • You have any of these files:
    • 360loader.exe
    • _programma_slava_petuhu_v1.exe
    • golaya-babe.exe
    • golaya-devochka.exe
    • golaya-photo.exe
    • golaya-topless.exe
    • golosavk.exe
    • kak-nezametno-usipit-cheloveka-text.doc.exe
    • kak-oboyti-kerio-control-text.doc.exe
    • keygen_badcopy_pro_4_10_1215.exe
    • krutova_640x480.scr
    • morozko-myzikl-scenariy.exe
    • naruto_shippuuden.rar
    • odnoklassniki.exe
    • photo_640x480.scr
    • referat-na-temu-profilaktika.doc.exe
    • sbornik_gdz_i_kursovih_rabot.exe
    • setup.exe
    • themes.exe
    • volshebnaya-shlyapa-konkurs-narezki.exe
  • You can't go certain websites that you'd been able to access before; these websites might be for Internet banking or security
  • You see changes in your Hosts file that you don't recall making

Last update 17 October 2013

 

TOP

Malware :