Home / malware Trojan:BAT/Qhost.AE
First posted on 23 February 2013.
Source: MicrosoftAliases :
Trojan:BAT/Qhost.AE is also known as Trojan/Win32.Qhost (AhnLab), W32/Qhost.M.gen!Eldorado (Command), Trojan-Banker.Win32.Qhost.abak (Kaspersky).
Explanation :
Installation
Trojan:BAT/Qhost.AE is installed by a threat detected as Trojan:Win32/QHosts.BH.
It is installed as a BAT file that may have file names similar to the following:
- %ProgramFiles%\aa2\aa1\ebanaya.bat
- %ProgramFiles%\xx2\xx1\avarog.bat
- %ProgramFiles%\dd2\dd1\belaya.bat
- %ProgramFiles%\dd2\dd1\vidish.bat
Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files".
Payload
Changes your HOSTS file contents
Trojan:BAT/Qhost.AE replaces the contents of your HOSTS file so that if you try to access any of these servers:
- m.my.mail.ru
- m.odnoklassniki.ru
- m.ok.ru
- m.vk.com
- my.mail.ru
- odnoklassniki.ru
- ok.ru
- vk.com
- www.odnoklassniki.ru
You are redirected to a different server, including those located in the following IP addresses:
- 94.242.221.197
- 94.242.221.200
- 94.242.221.249
- 94.242.221.94
- 94.242.221.96
- 94.249.189.127
- 94.249.189.25
Analysis by Jireh Sanico
Last update 23 February 2013