Virus:TR/Qhost.IA
Date discovered:10/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:19.968 Bytes
MD5 checksum:27b06efadce529f269187f0F8ddc9c71
VDF version:6.36.00.62
IVDF version:6.36.00.76 - Tuesday, October 3, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Qhost.ia
   •  Sophos: Troj/QHosts-AL


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Drops a file

 Files It deletes the initially executed copy of itself.



The following file is created:

%malware execution directory%\killme.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download a file:

– The location is the following:
   • http://59.34.197.239/**********
At the time of writing this file was not online for further investigation.

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains are redirected to other destinations:
   • www.baidu.com
   • baidu.com
   • www.sohu.com
   • sohu.com
   • www.sina.com
   • sina.com
   • www.sina.com.cn
   • sina.com.cn
   • www.163.com
   • 163.com
   • www.google.com
   • google.com
   • www.qq.com
   • qq.com
   • www.hao123.com
   • hao123.com
   • ttlttt.com




The modified host file will look like this:


 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Monica Ghitun on Tuesday, October 10, 2006

Back . . . .