Home / malware Trojan:Win32/QHosts.BH
First posted on 22 January 2013.
Source: MicrosoftAliases :
Trojan:Win32/QHosts.BH is also known as Trojan.Hosts.6167 (Dr.Web), Win32/Bicololo.A trojan (ESET), Trojan.VBS.Downloader (Ikarus), Trojan.Win32.Qhost.aeif (Kaspersky).
Explanation :
Trojan:Win32/Qhosts.BH is a trojan that redirects your web browser away from certain sites and may download additional malware onto your computer.
Installation
The trojan is usually downloaded onto your computer by other malware.
When run, Trojan:Win32/Qhosts.BH creates a folder path in the %ProgramFiles% folder in the format "<letter_number>\<letter_number>". We have observed the following folder path:
%ProgramFiles%\l1\l1
Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files".
Trojan:Win32/Qhosts.BH then creates the following three files in the folder path:
- A batch file (BAT), which alters your computer's Hosts file
- Either one of the following files:
- A text file (TXT) file, from which the trojan obtains additional information about the server it connects to, or
- An image file (JPG), which the trojan may use to distract you while it alters the Hosts file
- An executable file (EXE), which connects to a remote server to report the trojan's infection and download additional files
In the wild, we have observed it using the following file names:
- %ProgramFiles%\l1\l1\ko.txt
- %ProgramFiles%\l1\l1\ij0o0o0o.bat
- %ProgramFiles%\l1\l1\sdfw4t34g35g45gh.exe
- %ProgramFiles%\l1\l1\093ijf9o3ih3ff.jpg
Payload
Modifies the Hosts file
Trojan:Win32/Qhosts.BH modifies the Windows Hosts file in order to redirect specified URLs to different IP addresses.
When run, the trojan loads the batch file that it created during installation. To hide the running of the batch file, the trojan may display an image.
The trojan redirects your web browser away from the following sites:
- m.my.mail.ru
- m.odnoklassniki.ru
- m.ok.ru
- m.vk.com
- my.mail.ru
- odnoklassniki.ru
- ok.ru
- vk.com
We have observed the trojan redirecting traffic from those sites to the following address:
94.249.189.127
Contacts remote hosts
Trojan:Win32/Qhosts.BH attempts to connect to the following remote host:
46.166.160.139
Commonly, malware may contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Analysis by Jasmine Sesso
Last update 22 January 2013