McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This is a generic detection for trojans that do modify the HOSTS file.

This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address.

Many trojans and worms are overwriting the HOSTS file with a modified version. The corrupted HOSTS file will contains a list of URLs redirected to invalid  ip such as 255.255.255.255 or 127.0.0.1.

Often this is used to redirect the updater component of the antivirus software to an invalid address thous preventing signatures updates.

It can also be used to redirect the victim browsing to a specific website (a serach engine for example) to a fake version of the website (pharming)

Symptoms

Appended HOST file Visiting the websites listed in the HOST file will redirect the web traffic to invalid addresses, making the user unable to reach some Anti-Virus websites.

Method of Infection

Trojans do not self-replicate and require manual intervention in order to "spread". User is infected upon executing the attachment.

Removal

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a generic detection for trojans that do modify the HOSTS file.

This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address.

Many trojans and worms are overwriting the HOSTS file with a modified version. The corrupted HOSTS file will contains a list of URLs redirected to invalid  ip such as 255.255.255.255 or 127.0.0.1.

Often this is used to redirect the updater component of the antivirus software to an invalid address thous preventing signatures updates.

It can also be used to redirect the victim browsing to a specific website (a serach engine for example) to a fake version of the website (pharming)

Symptoms

Symptoms -

Appended HOST file Visiting the websites listed in the HOST file will redirect the web traffic to invalid addresses, making the user unable to reach some Anti-Virus websites.

Method of Infection

Method of Infection -

Trojans do not self-replicate and require manual intervention in order to "spread". User is infected upon executing the attachment.

Removal -

Removal -

Variants

Variants -

N/A