Latest trojan.qhosts
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Latest trojan.qhosts

  1. #1
    Senior Member
    Join Date
    Jul 2003
    Posts
    217

    Latest trojan.qhosts

    Some info i thougt you might want to know about. This one got me and I update my virus defs daily.

    http://securityresponse.symantec.com...an.qhosts.html


    Please see initial reports from Sophos;

    At the time of writing Sophos has received no reports from users affected by
    this trojan. However, we have issued this advisory following enquiries to
    our support department from customers.


    Description
    Troj/Qhosts-1 is a Trojan that changes the Windows primary DNS server
    setting so that all infected machines use the same host for the DNS queries.
    If the number of infected computers is high, it may effectively launch a
    denial of service attack on the DNS server.
    Troj/Qhosts-1 also "hijacks" Internet Explorer browser usage so that web
    request are redirected to the server chosen by the Trojan writer. The Trojan
    is installed and run if a user visits a web page that exploits a
    vulnerability in Internet Explorer. A VB script embedded in the web page is
    run automatically when the page is viewed using Internet Explorer.

    The VB script drops and runs file aolfix.exe to the user's temporary folder.
    Aolfix.exe is a Windows batch file that is converted to the Windows binary
    executable using the demo version of the Batch file Compiler V5.1 utility.
    Aolfix.exe creates a hidden folder bdtmp\tmp, extracts a batch file with a
    random name and runs the batch file.

    The batch file creates several files in the Windows folder. The file Hosts
    is responsible for Internet Explorer "hijack". Troj/Qhosts-1 copies the file
    HOSTS into the folder <Windows>\Help and appendes the original HOST file to
    it.

    The Trojan changes the registry values

    HKLM\System\ControlSet001\Services\Tcpip\Parameters\DataBasePath and
    HKLM\System\ControlSet002\Services\Tcpip\Parameters\DataBasePath

    so that the Trojan copy of the HOSTS files is used by the system. There are
    few known variants of the Trojan. Depending on the variant the Trojan may
    set some other registry values, such as

    HKLM\System\CurrentControlSet\Services\VxD\MSTCP
    EnableDNS = 1
    NameServer = 216.127.92.38 or 69.57.146.14, 69.57.147.175
    Hostname = "host"
    Domain= "mydomain.com"

    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable= 00000000
    MigrateProxy=00000000
    HKCU\Software\Microsoft\Internet Explorer\Main
    Use Search Asst=no
    Search Page= http://www.google.com
    Search Bar=http://www.google.com/ie

    HKCU\Software\Microsoft\Internet Explorer\SearchURL
    ""="http://www.google.com/keyword/
    provider=gogl

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Search
    SearchAssistant=http://www.google.com/ie

    HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\interfaces\windows
    r0x=your s0x
    HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\interfaces\windows
    r0x=your s0x

    Some of the variants drop and run VB script o.vbs into the Windows folder.
    The script attempts to use Windows Management Instrumentation to change the
    primary DNS server setting for the network interface.

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Thanks for the update on this one..... I keep my virus def. as up-to-date as possible (AVG Free) and I was hit by this as well.... Confused the hell outta me for a lil bit and then I browsed to google using the IP and ran a search at the same time that you threw up this thread. It's definately a dirty lil bugger, caused a whole shitload of problems for me since google is my main reference.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Posts
    217
    Since I am not the only one infected. i guess my config seems to be quite standard. I was wondering, how do we protect against this. Virus defs are already the latest and they didnt protect me. Is there something that I missed that could have protected me. The infection was from a website. AV didnt pick it up. If anyone says to stop surfing i'm gonna kick their a$$.....LOL..

    Just would like some opinions.

  4. #4
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    also, from Trend Micro

    TROJ_QHOSTS.A Technical Details

    a link therein provides the following M$ security Bulletin

    Microsoft Security Bulletin MS03-032

    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    217
    Just another article about this. Looks like another hole we have to patch.

    http://asia.cnet.com/newstech/securi...9153314,00.htm

    the M$ security bulletin saying that Cumulative Patch for Internet Explorer (822925) solves this problem is not true as you can read in the article i have linked to above. the patch was supposed to solve the problem but M$ recently realised that it doesnt.

    Sure make me have a lot of faith in M$ patches, not that i had any to begin with.

    they are still working on a patch for this and do not know when it will be available. What a surprise!!

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    "how do we protect against this. Virus defs are already the latest and they didnt protect me. Is there something that I missed that could have protected me."

    Use a third party browser www.mozilla.org mozilla-firebird is very fast and has many useful plugins ,mozilla is a little bloated but has many good features ,plus it has a quite good security record. Personally i would not touch IE or outlook express.
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  7. #7
    Senior Member
    Join Date
    Jul 2003
    Posts
    217
    agree that using another browser might prevent this but the problem is when you are in the office and you are only allowed to install certain programs only and mozilla is not on the list. At home i dont use IE or but in the office I do not have a choice.

  8. #8
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    In the bulletin I referenced above M$ states
    Subsequent to issuing this security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability (CAN-2003-0532)
    Later in the bulletin
    Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems.
    I guess that is their way of saying they donít know how to fix it yet??
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #9
    Senior Member Falcon21's Avatar
    Join Date
    Dec 2002
    Location
    Singapore
    Posts
    252
    Avant Browser is also quite good http://www.avantbrowser.com/
    You may wish to disable VB script using the tool below.

  10. #10
    Member
    Join Date
    May 2003
    Posts
    42
    Arnt virus def's updated after new viruses are discovered (that is hit computers)???

    Cheers
    antisecurityboy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •