McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

The QHosts trojan designation covers trojans that, among other things, make changes to the system HOSTS file, to redirect domain name resolution to specified IP addresses.  Typically this is to generate more traffic to a particular website, in some cases to increase the number of impressions for advertisers.

The QHosts-2 trojan was being deployed from a malicious web page, exploiting an unpatched Codebase/MHTML redirection vulnerability in Internet Explorer.  These pages are detected as Exploit-CodeBase by up-to-date McAfee antivirus products.

When a victim accesses a malicious web page, the Downloader-FU trojan is automatically downloaded and executed, seen with the filename payloadexe.exe .  This trojan downloads the file easywww.exe to c:\windows\easywww.exe and executes it.  This downloaded file is the QHosts-2 trojan.

When run, the QHosts-2 trojan creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "easywww"

The trojan connects to a remote site to retrieve instructions on which system changes to make, such as:

• Setting for Internet Explorer's search bar
• Modifications for the system HOSTS file
• Remote file to download and execute

At the time of this writing, the following settings are present:

• The search bar is changed to http://searchbar.findthewebsiteyouneed.com
• The hosts file is updated from http://www.dotcomtoolbar.com/hosts  
  with "213.222.11.11 auto.search.msn.com"
• Files are downloaded from http://www.dotcomtoolbar.com
  These files are detected as Spyware-DCToolbar application

Symptoms

- Presence of the files mentioned above.
- Presence of the Downloader-FU trojan, Exploit-CodeBase trojan, or Spyware-DCToolbar application

Method of Infection

This trojan is being deployed via an exploit targeting Internet Explorer.  Disabling active scripting on the Internet Zone is a prudent course of action.  Blocking access to easywww.info and 213.222.11.11 is recommended.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

The QHosts trojan designation covers trojans that, among other things, make changes to the system HOSTS file, to redirect domain name resolution to specified IP addresses.  Typically this is to generate more traffic to a particular website, in some cases to increase the number of impressions for advertisers.

The QHosts-2 trojan was being deployed from a malicious web page, exploiting an unpatched Codebase/MHTML redirection vulnerability in Internet Explorer.  These pages are detected as Exploit-CodeBase by up-to-date McAfee antivirus products.

When a victim accesses a malicious web page, the Downloader-FU trojan is automatically downloaded and executed, seen with the filename payloadexe.exe .  This trojan downloads the file easywww.exe to c:\windows\easywww.exe and executes it.  This downloaded file is the QHosts-2 trojan.

When run, the QHosts-2 trojan creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "easywww"

The trojan connects to a remote site to retrieve instructions on which system changes to make, such as:

• Setting for Internet Explorer's search bar
• Modifications for the system HOSTS file
• Remote file to download and execute

At the time of this writing, the following settings are present:

• The search bar is changed to http://searchbar.findthewebsiteyouneed.com
• The hosts file is updated from http://www.dotcomtoolbar.com/hosts  
  with "213.222.11.11 auto.search.msn.com"
• Files are downloaded from http://www.dotcomtoolbar.com
  These files are detected as Spyware-DCToolbar application

Symptoms

Symptoms -

- Presence of the files mentioned above.
- Presence of the Downloader-FU trojan, Exploit-CodeBase trojan, or Spyware-DCToolbar application

Method of Infection

Method of Infection -

This trojan is being deployed via an exploit targeting Internet Explorer.  Disabling active scripting on the Internet Zone is a prudent course of action.  Blocking access to easywww.info and 213.222.11.11 is recommended.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A