Home / malwarePDF  

Trojan:Win32/QHosts.BH


First posted on 22 January 2013.
Source: Microsoft

Aliases :

Trojan:Win32/QHosts.BH is also known as Trojan.Hosts.6167 (Dr.Web), Win32/Bicololo.A trojan (ESET), Trojan.VBS.Downloader (Ikarus), Trojan.Win32.Qhost.aeif (Kaspersky).

Explanation :



Trojan:Win32/Qhosts.BH is a trojan that redirects your web browser away from certain sites and may download additional malware onto your computer.



Installation

The trojan is usually downloaded onto your computer by other malware.

When run, Trojan:Win32/Qhosts.BH creates a folder path in the %ProgramFiles% folder in the format "<letter_number>\<letter_number>". We have observed the following folder path:

%ProgramFiles%\l1\l1

Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files".

Trojan:Win32/Qhosts.BH then creates the following three files in the folder path:

  • A batch file (BAT), which alters your computer's Hosts file
  • Either one of the following files:
    • A text file (TXT) file, from which the trojan obtains additional information about the server it connects to, or
    • An image file (JPG), which the trojan may use to distract you while it alters the Hosts file
  • An executable file (EXE), which connects to a remote server to report the trojan's infection and download additional files


In the wild, we have observed it using the following file names:

  • %ProgramFiles%\l1\l1\ko.txt
  • %ProgramFiles%\l1\l1\ij0o0o0o.bat
  • %ProgramFiles%\l1\l1\sdfw4t34g35g45gh.exe
  • %ProgramFiles%\l1\l1\093ijf9o3ih3ff.jpg


Payload

Modifies the Hosts file

Trojan:Win32/Qhosts.BH modifies the Windows Hosts file in order to redirect specified URLs to different IP addresses.

When run, the trojan loads the batch file that it created during installation. To hide the running of the batch file, the trojan may display an image.

The trojan redirects your web browser away from the following sites:

  • m.my.mail.ru
  • m.odnoklassniki.ru
  • m.ok.ru
  • m.vk.com
  • my.mail.ru
  • odnoklassniki.ru
  • ok.ru
  • vk.com


We have observed the trojan redirecting traffic from those sites to the following address:

94.249.189.127

Contacts remote hosts

Trojan:Win32/Qhosts.BH attempts to connect to the following remote host:

46.166.160.139

Commonly, malware may contact a remote host for the following purposes:

  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer




Analysis by Jasmine Sesso

Last update 22 January 2013

 

TOP

Malware :

Family: