Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Trojan:BASH/QHost.WB


Aliases:


Trojan:BASH/QHost.WB
Trojan:BASH/QHost.WB
BASH/QHost.WB
QHost
QHost.WB

Malware
Trojan
BASH

Summary

Trojan:BASH/QHost.WB hijacks web traffic by modifying the hosts file.



Disinfection & Removal


Manually correcting the hosts file

  • 1. Open terminal and change directory to */private/etc/*
    • $cd /private/etc
  • 2. Use any editor tool you prefer and edit the *hosts* file. Note: You need root privilege to do this.
    • $sudo vim hosts
  • You should see something similar to the following:
    • 91.224.160.26 google.com
    • 91.224.160.26 google.ae
    • 91.224.160.26 google.as[truncated for brevity]
  • 3. Remove all the entries contain *91.224.160.26* from the hosts file.


Technical Details

Trojan:BASH/QHost.WB poses as a FlashPlayer installer called FlashPlayer.pkg:

Screenshot of Trojan:BASH/QHost.WB masquerading as a FlashPlayer

This trojan is also further discussed in our Labs Weblog post:


Activity

Upon installation, the trojan will hijack and redirect web traffic to Google by adding the following entries to the hosts file:

  • 91.224.160.26 google.com
  • 91.224.160.26 google.ae
  • 91.224.160.26 google.as
  • 91.224.160.26 google.at
  • 91.224.160.26 google.az
  • 91.224.160.26 google.ba
  • 91.224.160.26 google.be
  • 91.224.160.26 google.bg
  • 91.224.160.26 google.bs
  • 91.224.160.26 google.ca
  • 91.224.160.26 google.cd
  • 91.224.160.26 google.com.gh
  • 91.224.160.26 google.com.hk
  • 91.224.160.26 google.com.jm
  • 91.224.160.26 google.com.mx
  • 91.224.160.26 google.com.my
  • 91.224.160.26 google.com.na
  • 91.224.160.26 google.com.nf
  • 91.224.160.26 google.com.ng
  • 91.224.160.26 google.ch
  • 91.224.160.26 google.com.np
  • 91.224.160.26 google.com.pr
  • 91.224.160.26 google.com.qa
  • 91.224.160.26 google.com.sg
  • 91.224.160.26 google.com.tj
  • 91.224.160.26 google.com.tw
  • 91.224.160.26 google.dj
  • 91.224.160.26 google.de
  • 91.224.160.26 google.dk
  • 91.224.160.26 google.dm
  • 91.224.160.26 google.ee
  • 91.224.160.26 google.fi
  • 91.224.160.26 google.fm
  • 91.224.160.26 google.fr
  • 91.224.160.26 google.ge
  • 91.224.160.26 google.gg
  • 91.224.160.26 google.gm
  • 91.224.160.26 google.gr
  • 91.224.160.26 google.ht
  • 91.224.160.26 google.ie
  • 91.224.160.26 google.im
  • 91.224.160.26 google.in
  • 91.224.160.26 google.it
  • 91.224.160.26 google.ki
  • 91.224.160.26 google.la
  • 91.224.160.26 google.li
  • 91.224.160.26 google.lv
  • 91.224.160.26 google.ma
  • 91.224.160.26 google.ms
  • 91.224.160.26 google.mu
  • 91.224.160.26 google.mw
  • 91.224.160.26 google.nl
  • 91.224.160.26 google.no
  • 91.224.160.26 google.nr
  • 91.224.160.26 google.nu
  • 91.224.160.26 google.pl
  • 91.224.160.26 google.pn
  • 91.224.160.26 google.pt
  • 91.224.160.26 google.ro
  • 91.224.160.26 google.ru
  • 91.224.160.26 google.rw
  • 91.224.160.26 google.sc
  • 91.224.160.26 google.se
  • 91.224.160.26 google.sh
  • 91.224.160.26 google.si
  • 91.224.160.26 google.sm
  • 91.224.160.26 google.sn
  • 91.224.160.26 google.st
  • 91.224.160.26 google.tl
  • 91.224.160.26 google.tm
  • 91.224.160.26 google.tt
  • 91.224.160.26 google.us
  • 91.224.160.26 google.vu
  • 91.224.160.26 google.ws
  • 91.224.160.26 google.co.ck
  • 91.224.160.26 google.co.id
  • 91.224.160.26 google.co.il
  • 91.224.160.26 google.co.in
  • 91.224.160.26 google.co.jp
  • 91.224.160.26 google.co.kr
  • 91.224.160.26 google.co.ls
  • 91.224.160.26 google.co.ma
  • 91.224.160.26 google.co.nz
  • 91.224.160.26 google.co.tz
  • 91.224.160.26 google.co.ug
  • 91.224.160.26 google.co.uk
  • 91.224.160.26 google.co.za
  • 91.224.160.26 google.co.zm
  • 91.224.160.26 google.com
  • 91.224.160.26 google.com.af






Submit a sample


Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

F-Secure Community




Give advice. Get advice. Share the knowledge on our free discussion forum.