Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Rogue.KD.873646.2
Date discovered:28/02/2013
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:32.3584 Bytes
MD5 checksum:69CD1E768A994A3520495820E44E3896
VDF version:7.11.63.38 - Thursday, February 28, 2013
IVDF version:7.11.63.38 - Thursday, February 28, 2013

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Qhost.afik
   •  Avast: Win32:Downloader-SPM [Trj]
   •  Microsoft: Trojan:Win32/Qhost.KA
   •  Panda: Trj/CI.A
   •  Eset: Win32/Delf.RDV
   •  Fortinet: W32/Qhost.AFIK!tr


Platform / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Downloads files

 Files  It deletes the following file:
   • %PROGRAM FILES%\Internet Explorer\iexplore.exe



The following files are created:

%PROGRAM FILES%\ext\background.html Furthermore it gets executed after it was fully created.
%PROGRAM FILES%\ext\background.js Furthermore it gets executed after it was fully created.
%PROGRAM FILES%\ext\script.js Furthermore it gets executed after it was fully created.



It tries to download some files:

– The location is the following:
   • sitep**********xt.zip
It is saved on the local hard drive under: %PROGRAM FILES%\rhpuqnezqqaddeimlhsyanttichobmmvbbugfmocmmqnqoftfavoispgprgvpfoyixpuhettybhgayet.zip Furthermore this file gets executed after it was fully downloaded.

Description inserted by Eric Burk on Wednesday, March 20, 2013
Description updated by Eric Burk on Wednesday, March 20, 2013

Back . . . .