Some info i thougt you might want to know about. This one got me and I update my virus defs daily.

http://securityresponse.symantec.com...an.qhosts.html


Please see initial reports from Sophos;

At the time of writing Sophos has received no reports from users affected by
this trojan. However, we have issued this advisory following enquiries to
our support department from customers.


Description
Troj/Qhosts-1 is a Trojan that changes the Windows primary DNS server
setting so that all infected machines use the same host for the DNS queries.
If the number of infected computers is high, it may effectively launch a
denial of service attack on the DNS server.
Troj/Qhosts-1 also "hijacks" Internet Explorer browser usage so that web
request are redirected to the server chosen by the Trojan writer. The Trojan
is installed and run if a user visits a web page that exploits a
vulnerability in Internet Explorer. A VB script embedded in the web page is
run automatically when the page is viewed using Internet Explorer.

The VB script drops and runs file aolfix.exe to the user's temporary folder.
Aolfix.exe is a Windows batch file that is converted to the Windows binary
executable using the demo version of the Batch file Compiler V5.1 utility.
Aolfix.exe creates a hidden folder bdtmp\tmp, extracts a batch file with a
random name and runs the batch file.

The batch file creates several files in the Windows folder. The file Hosts
is responsible for Internet Explorer "hijack". Troj/Qhosts-1 copies the file
HOSTS into the folder <Windows>\Help and appendes the original HOST file to
it.

The Trojan changes the registry values

HKLM\System\ControlSet001\Services\Tcpip\Parameters\DataBasePath and
HKLM\System\ControlSet002\Services\Tcpip\Parameters\DataBasePath

so that the Trojan copy of the HOSTS files is used by the system. There are
few known variants of the Trojan. Depending on the variant the Trojan may
set some other registry values, such as

HKLM\System\CurrentControlSet\Services\VxD\MSTCP
EnableDNS = 1
NameServer = 216.127.92.38 or 69.57.146.14, 69.57.147.175
Hostname = "host"
Domain= "mydomain.com"

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable= 00000000
MigrateProxy=00000000
HKCU\Software\Microsoft\Internet Explorer\Main
Use Search Asst=no
Search Page= http://www.google.com
Search Bar=http://www.google.com/ie

HKCU\Software\Microsoft\Internet Explorer\SearchURL
""="http://www.google.com/keyword/
provider=gogl

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant=http://www.google.com/ie

HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\interfaces\windows
r0x=your s0x
HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\interfaces\windows
r0x=your s0x

Some of the variants drop and run VB script o.vbs into the Windows folder.
The script attempts to use Windows Management Instrumentation to change the
primary DNS server setting for the network interface.