Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Qhost
[Summary] | [Disinfection] | [Detailed Description]

Name : Qhost
Alias:Trojan.Win32.Qhost, HOSTS, Trojan:W32/Qhost
Type:Trojan
Category:Malware
Platform:W32
Radar

Summary

Several malicious programs, for example Agobot backdoor, modify
Windows HOSTS file to block access to websites and update servers
of several anti-virus companies. As a result, websites of
anti-virus vendors become inaccessible and anti-virus programs
can stop getting updates.
Back to the Top

Disinfection

After F-Secure Anti-Virus renames the trojanized HOSTS file,
Windows creates a new one that unblocks access to all websites.
The renamed trojanized HOSTS.0 file can be deleted from a hard
drive.
Back to the Top

Detailed Description
The Windows HOSTS file usually contains information about
localhost only, but some malware add more data to this file and
that results in blocking access to several anti-virus websites
and update servers. For example a trojanized HOSTS file can look
like that:

# Copyright (c) 1993-1999 Microsoft Corp.
#

#

  • 127.0.0.1 localhost
  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 www.viruslist.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 avp.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 www.ca.com
  • 127.0.0.1 ca.com
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 www.trendmicro.com

F-Secure Anti-Virus detects a trojanized Windows HOSTS file as
'Trojan.Win32.Qhost' and renames it.
Back to the Top



F-Secure Corporation

Last Modified: January 01, 2006