Virus:TR/Hosts.AS
Date discovered:27/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:41.171 Bytes
MD5 checksum:1e0F0Dad6aae1e4866d2f097f0b6cb28
VDF version:7.10.09.225

 General Method of propagation:
   • Autorun feature


Alias:
   •  Eset: Win32/Qhost.NYP


Platform / OS:
   • Windows XP


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %TEMPDIR%\f89b359b-4abe-4b1b-b3a2-5179690897fc\wrk1.tmp_46
   • %APPDATA%\f90d803d-7bb2-46b8-a890-d6d8b6800dd5_46.avi



It overwrites a file.
%SYSDIR%\drivers\etc\hosts

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "f90d803d-7bb2-46b8-a890-d6d8b6800dd5_46"="rundll32.exe \"%APPDATA%\f90d803d-7bb2-46b8-a890-d6d8b6800dd5_46.avi\", start"



The following registry key is added:

– [HKCU\SOFTWARE\Microsoft\Cryptography]
   • MachineGuid="f89b359b-4abe-4b1b-b3a2-5179690897fc"

 Hosts The host file is modified as explained:

– In this case already existing entries may become overwritten.

– Access to the following domains are redirected to other destinations:
   • google.com; search.yahoo.com; uk.search.yahoo.com; google.com.br;
      google.it; google.es; google.co.jp; google.com.mx; google.ca;
      google.com.au; google.nl; google.co.za; google.be; google.gr;
      google.at; google.se; google.ch; google.pt; google.dk; google.fi;
      google.ie; google.no; google.de; google.fr; google.co.uk; bing.com


Description inserted by Florian Burlefinger on Wednesday, July 28, 2010
Description updated by Andrei Ivanes on Monday, August 2, 2010

Back . . . .