Threat Description

Trojan: ​W32/Qhost

Details

Category: Malware
Type: Trojan
Platform: W32
Aliases: Trojan.Win32.Qhost

Summary


Trojan.Win32.Qhost identifies a HOSTS file that appears to be maliciously modified to block access to antivirus vendor websites and update servers.



Removal


F-Secure renames the malware-modified HOSTS file to HOSTS.0. Windows then creates a new file that restores website access. The renamed file can then be deleted.


Suspect A False Positive?

It is possible that a heuristic detection can inadvertently cause a False Positive. If you suspect this to be the case, please first ensure your F-Secure security program is completely up-to-date with the latest detection database updates, then rescan the suspect file.

If you continue to suspect a False Positive (or alternatively, a file identified as Clean should have been marked as malicious) you can submit a sample of the suspect file to our Security Labs for further analysis via the Sample Analysis System (SAS).






Technical Details


Some malicious applications will modify the Windows HOSTS file in an attempt to block access to antivirus vendor web and update servers. As a result, the websites of several antivirus vendors may become inaccessible and some antivirus programs may stop receiving updates. The Windows HOSTS file typically contains information only about the localhost. Some malware variants add more entries to the HOSTS file, attempting to block access to antivirus websites and update servers.

Example

A normal HOSTS file will appear as follows:

# Copyright (c) 1993-1999 Microsoft Corp.  
# # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.  
# # This file contains the mappings of IP addresses to host names.  
Each # entry should be kept on an individual line. 
The IP address should  # be placed in the first column followed by the corresponding host name. 
# The IP address and the host name should be separated by at least one # space.  
# # Additionally, comments (such as these) may be inserted on individual   
# lines or following the machine name denoted by a '#' symbol.  
# # For example:  
# # 102.54.94.97 rhino.acme.com  
# source server  
# 38.25.63.10 x.acme.com  
# x client host  127.0.0.1 localhost  

The typical file path is:

  • C:\%windir%\system32\drivers\etc\hosts

A malware-modified version of the HOSTS file will contain additional entries:

  • 127.0.0.1 avp.com
  • 127.0.0.1 ca.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 localhost
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 www.ca.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 www.trendmicro.com
  • 127.0.0.1 www.viruslist.com

Websites or servers configured to an IP Address of 127.0.0.1 will loop back to the local machine, making them unreachable.



Detection


F-Secure detects malware modified Windows HOSTS files as Trojan:W32/Qhost or Trojan.Win32.Qhost. The detected HOSTS file is renamed to HOSTS.0.




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More