Content

QHosts-95

Type
Trojan
SubType
Win32
Discovery Date
12/19/2007
Length
2,048 bytes
Minimum DAT
5190 (12/20/2007)
Updated DAT
5190 (12/20/2007)
Minimum Engine
5.1.00
Description Added
12/19/2007
Description Modified
12/19/2007 7:55 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update December 19, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2206078/trojan-hijacks-google-text-ads
--

Upon execution, the trojan adds the following line to the %Systemdir%\drivers\etc\hosts.

91.184.6[removed] pagead2.googlesyndication.com

Any access to the Google Adsense will be redirected to the above IP address.

Symptoms

The Windows hosts  file size is larger than usual. This file can be located at:

  • %SystemRoot%\System32\drivers\etc\hosts

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

QHosts-95 trojan modifies the windows hosts file to redirect accesses to Google Adsense to a malicious remote site.

Aliases

  • Trojan.Qhost.WU (BitDefender)
  • W32/Qhost.WU!tr (Fortinet)

Characteristics

Characteristics -

-- Update December 19, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2206078/trojan-hijacks-google-text-ads
--

Upon execution, the trojan adds the following line to the %Systemdir%\drivers\etc\hosts.

91.184.6[removed] pagead2.googlesyndication.com

Any access to the Google Adsense will be redirected to the above IP address.

Symptoms

Symptoms -

The Windows hosts  file size is larger than usual. This file can be located at:

  • %SystemRoot%\System32\drivers\etc\hosts

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A