W32/Qhost.A, a trojan that spreads via infectious websites

6 October 2003

W32/Qhost.A is a Trojan Horse that has, for the last few days, been infecting computers on which Internet Explorer 5.01, 5.5, or 6.0 is installed. This trojan is designed to allow an attacker to remotely hijack browsers by rerouting page requests to specific Domain Name Servers, thereby allowing an attacker to direct users to websites of the attackerís choice.

This trojan takes advantage of an Internet Explorer vulnerability, patches for which are provided via Windows Update. Users should scan for updates and patch their systems with 'Cumulative Patch for Internet Explorer (KB828750)' as well as the related 'Security Update for Windows Media Player (KB828026)'. This vulnerability is also discussed in Microsoft Security Bulletin MS03-040 an end-user version of which can be found here.

It should be noted that this trojan cannot spread by itself. Infection occurs when an HTML web page containing malicious code is opened allowing the trojan to open a viral HTML file on the target computer. When the malicious executable has been created and run, the Qhost trojan alters the computerís Domain Name Server set-up. This allows an attacker to virtually hijack browser use by dictating which sites are visited. The trojan, for example, denies access to most major search engines, redirecting the user instead to different sites.

W32/Qhost.A has been known to infect through pop-ups displayed when certain web-sites are visited. One such page at www.fortunecity.com reportedly displayed a pop-up that redirected the user to another web page where the trojan downloaded itself to the visiting user's system before executing.

Recommended Reactions

As the Qhost trojan is capable of executing malicious code through infectious websites visited, the vulnerability it exploits is considered critical. Users are therefore strongly urged to apply the patches provided via Windows Update as soon as possible as well as updating their virus signature files and making sure they have the latest versions of F-Prot Antivirus installed on their computers.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Qhost.A using virus signature files dated 3 October 2003 or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

2014 © CYRENPrivacy Statement