October 3rd, 2003, 05:41 AM
Some info i thougt you might want to know about. This one got me and I update my virus defs daily.
Please see initial reports from Sophos;
At the time of writing Sophos has received no reports from users affected by
this trojan. However, we have issued this advisory following enquiries to
our support department from customers.
Troj/Qhosts-1 is a Trojan that changes the Windows primary DNS server
setting so that all infected machines use the same host for the DNS queries.
If the number of infected computers is high, it may effectively launch a
denial of service attack on the DNS server.
Troj/Qhosts-1 also "hijacks" Internet Explorer browser usage so that web
request are redirected to the server chosen by the Trojan writer. The Trojan
is installed and run if a user visits a web page that exploits a
vulnerability in Internet Explorer. A VB script embedded in the web page is
run automatically when the page is viewed using Internet Explorer.
The VB script drops and runs file aolfix.exe to the user's temporary folder.
Aolfix.exe is a Windows batch file that is converted to the Windows binary
executable using the demo version of the Batch file Compiler V5.1 utility.
Aolfix.exe creates a hidden folder bdtmp\tmp, extracts a batch file with a
random name and runs the batch file.
The batch file creates several files in the Windows folder. The file Hosts
is responsible for Internet Explorer "hijack". Troj/Qhosts-1 copies the file
HOSTS into the folder <Windows>\Help and appendes the original HOST file to
The Trojan changes the registry values
so that the Trojan copy of the HOSTS files is used by the system. There are
few known variants of the Trojan. Depending on the variant the Trojan may
set some other registry values, such as
EnableDNS = 1
NameServer = 220.127.116.11 or 18.104.22.168, 22.214.171.124
Hostname = "host"
Use Search Asst=no
Search Page= http://www.google.com
Some of the variants drop and run VB script o.vbs into the Windows folder.
The script attempts to use Windows Management Instrumentation to change the
primary DNS server setting for the network interface.