-
October 3rd, 2003, 05:41 AM
#1
Latest trojan.qhosts
Some info i thougt you might want to know about. This one got me and I update my virus defs daily.
http://securityresponse.symantec.com...an.qhosts.html
Please see initial reports from Sophos;
At the time of writing Sophos has received no reports from users affected by
this trojan. However, we have issued this advisory following enquiries to
our support department from customers.
Description
Troj/Qhosts-1 is a Trojan that changes the Windows primary DNS server
setting so that all infected machines use the same host for the DNS queries.
If the number of infected computers is high, it may effectively launch a
denial of service attack on the DNS server.
Troj/Qhosts-1 also "hijacks" Internet Explorer browser usage so that web
request are redirected to the server chosen by the Trojan writer. The Trojan
is installed and run if a user visits a web page that exploits a
vulnerability in Internet Explorer. A VB script embedded in the web page is
run automatically when the page is viewed using Internet Explorer.
The VB script drops and runs file aolfix.exe to the user's temporary folder.
Aolfix.exe is a Windows batch file that is converted to the Windows binary
executable using the demo version of the Batch file Compiler V5.1 utility.
Aolfix.exe creates a hidden folder bdtmp\tmp, extracts a batch file with a
random name and runs the batch file.
The batch file creates several files in the Windows folder. The file Hosts
is responsible for Internet Explorer "hijack". Troj/Qhosts-1 copies the file
HOSTS into the folder <Windows>\Help and appendes the original HOST file to
it.
The Trojan changes the registry values
HKLM\System\ControlSet001\Services\Tcpip\Parameters\DataBasePath and
HKLM\System\ControlSet002\Services\Tcpip\Parameters\DataBasePath
so that the Trojan copy of the HOSTS files is used by the system. There are
few known variants of the Trojan. Depending on the variant the Trojan may
set some other registry values, such as
HKLM\System\CurrentControlSet\Services\VxD\MSTCP
EnableDNS = 1
NameServer = 216.127.92.38 or 69.57.146.14, 69.57.147.175
Hostname = "host"
Domain= "mydomain.com"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable= 00000000
MigrateProxy=00000000
HKCU\Software\Microsoft\Internet Explorer\Main
Use Search Asst=no
Search Page= http://www.google.com
Search Bar=http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\SearchURL
""="http://www.google.com/keyword/
provider=gogl
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant=http://www.google.com/ie
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\interfaces\windows
r0x=your s0x
HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\interfaces\windows
r0x=your s0x
Some of the variants drop and run VB script o.vbs into the Windows folder.
The script attempts to use Windows Management Instrumentation to change the
primary DNS server setting for the network interface.
-
October 3rd, 2003, 06:28 AM
#2
Thanks for the update on this one..... I keep my virus def. as up-to-date as possible (AVG Free) and I was hit by this as well.... Confused the hell outta me for a lil bit and then I browsed to google using the IP and ran a search at the same time that you threw up this thread. It's definately a dirty lil bugger, caused a whole shitload of problems for me since google is my main reference.
-
October 3rd, 2003, 07:12 AM
#3
Since I am not the only one infected. i guess my config seems to be quite standard. I was wondering, how do we protect against this. Virus defs are already the latest and they didnt protect me. Is there something that I missed that could have protected me. The infection was from a website. AV didnt pick it up. If anyone says to stop surfing i'm gonna kick their a$$.....LOL..
Just would like some opinions.
-
October 3rd, 2003, 07:25 AM
#4
also, from Trend Micro
TROJ_QHOSTS.A Technical Details
a link therein provides the following M$ security Bulletin
Microsoft Security Bulletin MS03-032
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
October 3rd, 2003, 07:43 AM
#5
Just another article about this. Looks like another hole we have to patch.
http://asia.cnet.com/newstech/securi...9153314,00.htm
the M$ security bulletin saying that Cumulative Patch for Internet Explorer (822925) solves this problem is not true as you can read in the article i have linked to above. the patch was supposed to solve the problem but M$ recently realised that it doesnt.
Sure make me have a lot of faith in M$ patches, not that i had any to begin with.
they are still working on a patch for this and do not know when it will be available. What a surprise!!
-
October 3rd, 2003, 07:45 AM
#6
"how do we protect against this. Virus defs are already the latest and they didnt protect me. Is there something that I missed that could have protected me."
Use a third party browser www.mozilla.org mozilla-firebird is very fast and has many useful plugins ,mozilla is a little bloated but has many good features ,plus it has a quite good security record. Personally i would not touch IE or outlook express.
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
-
October 3rd, 2003, 07:50 AM
#7
agree that using another browser might prevent this but the problem is when you are in the office and you are only allowed to install certain programs only and mozilla is not on the list. At home i dont use IE or but in the office I do not have a choice.
-
October 3rd, 2003, 08:26 AM
#8
In the bulletin I referenced above M$ states
Subsequent to issuing this security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability (CAN-2003-0532)
Later in the bulletin
Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems.
I guess that is their way of saying they don’t know how to fix it yet??
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
October 3rd, 2003, 08:52 AM
#9
Avant Browser is also quite good http://www.avantbrowser.com/
You may wish to disable VB script using the tool below.
-
October 3rd, 2003, 09:17 AM
#10
Member
Arnt virus def's updated after new viruses are discovered (that is hit computers)???
Cheers
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|