Content

QHosts-1

Type
Trojan
SubType
-
Discovery Date
09/29/2003
Length
Varies
Minimum DAT
4296 (10/01/2003)
Updated DAT
4333 (03/03/2004)
Minimum Engine
5.1.00
Description Added
10/01/2003
Description Modified
10/03/2003 8:49 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update - 10/02/2003 --
Microsoft has released a patch for the vulnerablity exploited by QHost-1.  See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp

-- Update - 10/02/2003 --
This trojan has been reclassified as Low-Profiled due to media attention at: http://www.cbronline.com/latestnews/a7aa802c3a25406d80256db30018c17b

The purpose of this trojan is to "hijack" browser use.  When page requests are made, they are rerouted to specified Domain Name Servers.  This allows a remote "administrator" to direct users to the pages of their choosing.  For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.

This trojan is responsible for recent reports of strange DNS changes on systems as recently reported on NTBUGTRAQ.  The operations of the trojan are as follows:

  1. A user is directed to a web site that contains Exploit-ObjectData code.  NOTE: The MS03-032 patch does not protect against this attack vector. MS03-040 is required. This allows for the automatic execution of VBScript contained in an HTML file (x.hta)
  2. This VBScript drops the file AOLFIX.EXE in the %TEMP% directory
  3. This dropped AOLFIX.EXE is run, which may perform different tasks (several variants are known to exist)
  4. The VBScript creates the file O.BAT, which cleans up after the trojan by deleting the dropped AOLFIX.EXE file and the O.BAT file

Symptoms

System changes include:

  • A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
  • Configuring DNS servers to use different IP addresses, such as:
    • 69.57.146.14
    • 69.57.147.175
  • The creation of the following registry key:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
  • A marker file is created in the Windows directory named winlog
  • A temp directory is created and left behind by the trojan:
    • c:\bdtmp\tmp

Several Internet Explorer registry entries are changed/created:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" =  http://www.google.com/ie
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = no
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "(Default)" = http://www.google.com/keyword/%s
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://www.google.com
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "provider" = gogl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://www.google.com/ie

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

A popup ad at http://www.fortunecity.com/ /fc728x90smartad. is known to load a remote site containing this trojan.  This trojan relies on an Internet Explorer vulnerability to get installed on the local system.  Once installed, the trojan redirects Domain Name requests to a specified address.

Removal

All Windows Users :
Use current engine and DAT files for detection and removal.  This will delete the dropped HOSTS file as any remaining AOLFIX.EXE files.

Manual Removal Instructions

  1. Apply the MS03-040 patch
  2. Delete the following files:
    • %WinDir%\Help\hosts
    • %WinDir%\winlog
  3. Set the following registry key value (Information on editing registry keys ):
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc
  4. Delete the following registry key value (Information on deleting registry keys ):
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\Tcpip\Parameters\Interfaces\windows "r0x"
  5. Reconfigure your DNS server settings as desired
  6. Reconfigure your Internet Explorer settings as desired

  • Additional Windows ME/XP removal considerations

    • Variants

    Variants

      N/A

    All Information

    Overview -

    This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

    Aliases

    • QHosts-1.dr

    Characteristics

    Characteristics -

    -- Update - 10/02/2003 --
    Microsoft has released a patch for the vulnerablity exploited by QHost-1.  See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp

    -- Update - 10/02/2003 --
    This trojan has been reclassified as Low-Profiled due to media attention at: http://www.cbronline.com/latestnews/a7aa802c3a25406d80256db30018c17b

    The purpose of this trojan is to "hijack" browser use.  When page requests are made, they are rerouted to specified Domain Name Servers.  This allows a remote "administrator" to direct users to the pages of their choosing.  For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site.

    This trojan is responsible for recent reports of strange DNS changes on systems as recently reported on NTBUGTRAQ.  The operations of the trojan are as follows:

    1. A user is directed to a web site that contains Exploit-ObjectData code.  NOTE: The MS03-032 patch does not protect against this attack vector. MS03-040 is required. This allows for the automatic execution of VBScript contained in an HTML file (x.hta)
    2. This VBScript drops the file AOLFIX.EXE in the %TEMP% directory
    3. This dropped AOLFIX.EXE is run, which may perform different tasks (several variants are known to exist)
    4. The VBScript creates the file O.BAT, which cleans up after the trojan by deleting the dropped AOLFIX.EXE file and the O.BAT file

    Symptoms

    Symptoms -

    System changes include:

    • A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file, the following registry key is created to change the HOSTS path]
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
        Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
    • Configuring DNS servers to use different IP addresses, such as:
      • 69.57.146.14
      • 69.57.147.175
    • The creation of the following registry key:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\Tcpip\Parameters\Interfaces\windows "r0x" = your s0x
    • A marker file is created in the Windows directory named winlog
    • A temp directory is created and left behind by the trojan:
      • c:\bdtmp\tmp

    Several Internet Explorer registry entries are changed/created:

    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" =  http://www.google.com/ie
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = no
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "(Default)" = http://www.google.com/keyword/%s
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://www.google.com
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl "provider" = gogl
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://www.google.com/ie

    Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

    A popup ad at http://www.fortunecity.com/ /fc728x90smartad. is known to load a remote site containing this trojan.  This trojan relies on an Internet Explorer vulnerability to get installed on the local system.  Once installed, the trojan redirects Domain Name requests to a specified address.

    Removal -

    Removal -

    All Windows Users :
    Use current engine and DAT files for detection and removal.  This will delete the dropped HOSTS file as any remaining AOLFIX.EXE files.

    Manual Removal Instructions

    1. Apply the MS03-040 patch
    2. Delete the following files:
      • %WinDir%\Help\hosts
      • %WinDir%\winlog
    3. Set the following registry key value (Information on editing registry keys ):
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
        Tcpip\Parameters "DataBasePath" = %SystemRoot%\System32\drivers\etc
    4. Delete the following registry key value (Information on deleting registry keys ):
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
        Services\Tcpip\Parameters\Interfaces\windows "r0x"
    5. Reconfigure your DNS server settings as desired
    6. Reconfigure your Internet Explorer settings as desired

  • Additional Windows ME/XP removal considerations

    • Variants

    Variants -

      N/A