FRISK Software International


Summary of W32/Qhost.A
Alias:Trojan.Qhosts
Length: Variable
Discovered: 1 Oct 2003
Definition files: 9 Oct 2003
Risk Level: Low
Distribution:Low
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
Qhost is a trojan that prevents access to certain web sites and reroutes traffic to certain ip addresses. It also modifies the DNS setting so the unsuspecting user might be redirected to sites other than those intended.

It uses an exploit in IE to upload the trojan to the user's machine and execute it.



Technical Description
It is copied onto the system as aolfix.exe. When aolfix.exe is automatically executed it drops a bat file in this directory c:\bdtmp\tmp and executes that file, the name is randomly generated from numerical characters. The bat file drops these files:

    On all systems:
    %windir%\o.reg

    On 2000/XP systems:
    %windir%\o2.reg
    %windir%\o.vbs

%windir% is the default windows directory. The o.reg modifies the DNS setting and other internet related settings. If the user is using 2000/XP systems the bat file will create a two extra files called o2.reg and o.vbs. The o2.reg file will change the DNS settings on those systems. The o.vbs goes through every key under the keys below and changes the NameServer value to a certain ip number.

    HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet001\Services\Tcpip\Parameters\interfaces\

    HKEY_LOCAL_MACHINE\ SYSTEM\ControlSet002\Services\Tcpip\Parameters\interfaces\

After that it will create a new hosts file in those directories %windir%\hosts and %windir%\help\hosts. That file will contain a text that will look something like this:

    <random ip number> elite
    <random ip number> www.google.akadns.net
    <random ip number> www.google.com
    <random ip number> google.com
    <random ip number> www.altavista.com
    <random ip number> altavista.com
    <random ip number> search.yahoo.com
    <random ip number> uk.search.yahoo.com
    <random ip number> ca.search.yahoo.com
    <random ip number> jp.search.yahoo.com
    ...
    ...
    ...

After it has completed the above tasks it will delete the files it dropped. But the C:\bdtmp\tmp directory will still be there, empty.




Removal Instructions

Scan the your machine with F-Prot and choose automatic disinfection. After the machine has been scanned. Go to Start->Run and type in regedit and press [ENTER]. Then change the following registry keys.

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP]

    "EnableDNS"="1" change this value to "0"
    "HostName"="host" remove this value
    "Domain"="mydomain.com" remove this value


    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

    "Search Page"="http://www.google.com" remove this value
    "Search Bar"="http://www.google.com/ie" remove this value


    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]

    ""="http://www.google.com/keyword/%s" remove this value
    "provider"="gogl" remove this value


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

    "SearchAssistant"="http://www.google.com/ie" remove this value

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]

    "DataBasePath"="DataBasePath"="%SystemRoot%\help" change this value to "%SystemRoot%\System32\drivers\etc"


    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters]

    "DataBasePath"="DataBasePath"="%SystemRoot%\help" change this value to "%SystemRoot%\System32\drivers\etc"


Close down regedit.

Now locate the dropped hosts file and delete it.

    It is located here on Win9x/ME systems:
    \Windows\help\hosts
    And on 2000/XP systems:
    \WINNT\help\hosts


Only needed for Win9x/ME users. Now locate the modified hosts file and edit it. Locate the file below, right click on it and choose Open with.

    \Windows\hosts

Now a dialog should pop up, uncheck where it says "Always use this program to open this file". Now find Wordpad on the list, it should be near the end. Click on it and choose Ok. Now pinpoint these lines below.

    <random ip number> elite
    <random ip number> www.google.akadns.net
    <random ip number> www.google.com
    <random ip number> google.com

Note that the numbers on left can vary, so use the names on the right to find the beginning of the injected lines. Delete these lines and all the ones below. Now choose File and Save. Close wordpad.


If you are having trouble accessing web pages you probably need to reconfigure your DNS settings. To get that information you'll need to contact your ISP.


Download the patch that fixes the IE vulnerability here and implement it.


Ragnar Gisli - Senior Virus Researcher
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is