Trojan:BASH/QHost.WB

Summary

Trojan:BASH/QHost.WB hijacks web traffic by modifying the hosts file.

Disinfection & Removal

Manually correcting the hosts file

• 1. Open terminal and change directory to */private/etc/*
  • $cd /private/etc
• 2. Use any editor tool you prefer and edit the *hosts* file. Note: You need root privilege to do this.
  • $sudo vim hosts
• You should see something similar to the following:
  • 91.224.160.26 google.com
  • 91.224.160.26 google.ae
  • 91.224.160.26 google.as[truncated for brevity]
• 3. Remove all the entries contain *91.224.160.26* from the hosts file.

Technical Details

Trojan:BASH/QHost.WB poses as a FlashPlayer installer called FlashPlayer.pkg:

Screenshot of Trojan:BASH/QHost.WB masquerading as a FlashPlayer

This trojan is also further discussed in our Labs Weblog post:

• Trojan:BASH/QHost.WB

Activity

Upon installation, the trojan will hijack and redirect web traffic to Google by adding the following entries to the hosts file:

• 91.224.160.26 google.com
• 91.224.160.26 google.ae
• 91.224.160.26 google.as
• 91.224.160.26 google.at
• 91.224.160.26 google.az
• 91.224.160.26 google.ba
• 91.224.160.26 google.be
• 91.224.160.26 google.bg
• 91.224.160.26 google.bs
• 91.224.160.26 google.ca
• 91.224.160.26 google.cd
• 91.224.160.26 google.com.gh
• 91.224.160.26 google.com.hk
• 91.224.160.26 google.com.jm
• 91.224.160.26 google.com.mx
• 91.224.160.26 google.com.my
• 91.224.160.26 google.com.na
• 91.224.160.26 google.com.nf
• 91.224.160.26 google.com.ng
• 91.224.160.26 google.ch
• 91.224.160.26 google.com.np
• 91.224.160.26 google.com.pr
• 91.224.160.26 google.com.qa
• 91.224.160.26 google.com.sg
• 91.224.160.26 google.com.tj
• 91.224.160.26 google.com.tw
• 91.224.160.26 google.dj
• 91.224.160.26 google.de
• 91.224.160.26 google.dk
• 91.224.160.26 google.dm
• 91.224.160.26 google.ee
• 91.224.160.26 google.fi
• 91.224.160.26 google.fm
• 91.224.160.26 google.fr
• 91.224.160.26 google.ge
• 91.224.160.26 google.gg
• 91.224.160.26 google.gm
• 91.224.160.26 google.gr
• 91.224.160.26 google.ht
• 91.224.160.26 google.ie
• 91.224.160.26 google.im
• 91.224.160.26 google.in
• 91.224.160.26 google.it
• 91.224.160.26 google.ki
• 91.224.160.26 google.la
• 91.224.160.26 google.li
• 91.224.160.26 google.lv
• 91.224.160.26 google.ma
• 91.224.160.26 google.ms
• 91.224.160.26 google.mu
• 91.224.160.26 google.mw
• 91.224.160.26 google.nl
• 91.224.160.26 google.no
• 91.224.160.26 google.nr
• 91.224.160.26 google.nu
• 91.224.160.26 google.pl
• 91.224.160.26 google.pn
• 91.224.160.26 google.pt
• 91.224.160.26 google.ro
• 91.224.160.26 google.ru
• 91.224.160.26 google.rw
• 91.224.160.26 google.sc
• 91.224.160.26 google.se
• 91.224.160.26 google.sh
• 91.224.160.26 google.si
• 91.224.160.26 google.sm
• 91.224.160.26 google.sn
• 91.224.160.26 google.st
• 91.224.160.26 google.tl
• 91.224.160.26 google.tm
• 91.224.160.26 google.tt
• 91.224.160.26 google.us
• 91.224.160.26 google.vu
• 91.224.160.26 google.ws
• 91.224.160.26 google.co.ck
• 91.224.160.26 google.co.id
• 91.224.160.26 google.co.il
• 91.224.160.26 google.co.in
• 91.224.160.26 google.co.jp
• 91.224.160.26 google.co.kr
• 91.224.160.26 google.co.ls
• 91.224.160.26 google.co.ma
• 91.224.160.26 google.co.nz
• 91.224.160.26 google.co.tz
• 91.224.160.26 google.co.ug
• 91.224.160.26 google.co.uk
• 91.224.160.26 google.co.za
• 91.224.160.26 google.co.zm
• 91.224.160.26 google.com
• 91.224.160.26 google.com.af