McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

--Update 6th May, 2004--

There have been an increase in the detection of this file reported to AVERT recently. This is caused by new variants of W32/Gaobot.worms that exploit a MS04-011 vulnerability (LSASS vulnerability CAN-2003-0533). This file is dropped upon execution of the worm. Most of these worms are stealthy and are not visible from the service and process list.  

--
This is a detection for a modified HOSTS file.

This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address.

Many worms and their variants, such as W32/Polybot.gen!irc  and W32/Gaobot.worm are overwriting the HOSTS file with a modified version. The HOSTS file contains a list of URLs and redirects them to 127.0.0.1, which is the LocalHost.

By redirecting all network traffic for these URLs to Localhost, the user is unable to browse to the webpage of his or her  AV or security software vendor. Additionally many AV products are  unable to update themselves.

Please note: you should see identifications of QHosts.apd in your VirusScan logs at the same time as other detection names such as W32/Gaobot.worm.gen for example. If this is not seen in the log, and/or you are seeing repeated instances of QHosts.apd appearing on your machine, then this indicates that you are probably infected with a new variant of a network worm. You will need to submit any suspicious programs that are running at that time to AVERT for analysis.

Symptoms

These URLs are redirected to the localhost (127.0.0.1)

• www.symantec.com
• securityresponse.symantec.com
• symantec.com
• www.sophos.com
• sophos.com
• www.mcafee.com
• mcafee.com
• liveupdate.symantecliveupdate.com
• www.viruslist.com
• viruslist.com
• viruslist.com
• f-secure.com
• www.f-secure.com
• kaspersky.com
• kaspersky-labs.com
• www.avp.com
• www.kaspersky.com
• avp.com
• www.networkassociates.com
• networkassociates.com
• www.ca.com
• ca.com
• mast.mcafee.com
• my-etrust.com
• www.my-etrust.com
• download.mcafee.com
• dispatch.mcafee.com
• secure.nai.com
• nai.com
• www.nai.com
• update.symantec.com
• updates.symantec.com
• us.mcafee.com
• liveupdate.symantec.com
• customer.symantec.com
• rads.mcafee.com
• trendmicro.com
• www.trendmicro.com
• www.grisoft.com

Method of Infection

This file can get droped by trojans or worms like : W32/Polybot.gen!irc or W32/Gaobot.worm .

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

--Update 6th May, 2004--

There have been an increase in the detection of this file reported to AVERT recently. This is caused by new variants of W32/Gaobot.worms that exploit a MS04-011 vulnerability (LSASS vulnerability CAN-2003-0533). This file is dropped upon execution of the worm. Most of these worms are stealthy and are not visible from the service and process list.  

--
This is a detection for a modified HOSTS file.

This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address.

Many worms and their variants, such as W32/Polybot.gen!irc  and W32/Gaobot.worm are overwriting the HOSTS file with a modified version. The HOSTS file contains a list of URLs and redirects them to 127.0.0.1, which is the LocalHost.

By redirecting all network traffic for these URLs to Localhost, the user is unable to browse to the webpage of his or her  AV or security software vendor. Additionally many AV products are  unable to update themselves.

Please note: you should see identifications of QHosts.apd in your VirusScan logs at the same time as other detection names such as W32/Gaobot.worm.gen for example. If this is not seen in the log, and/or you are seeing repeated instances of QHosts.apd appearing on your machine, then this indicates that you are probably infected with a new variant of a network worm. You will need to submit any suspicious programs that are running at that time to AVERT for analysis.

Symptoms

Symptoms -

These URLs are redirected to the localhost (127.0.0.1)

• www.symantec.com
• securityresponse.symantec.com
• symantec.com
• www.sophos.com
• sophos.com
• www.mcafee.com
• mcafee.com
• liveupdate.symantecliveupdate.com
• www.viruslist.com
• viruslist.com
• viruslist.com
• f-secure.com
• www.f-secure.com
• kaspersky.com
• kaspersky-labs.com
• www.avp.com
• www.kaspersky.com
• avp.com
• www.networkassociates.com
• networkassociates.com
• www.ca.com
• ca.com
• mast.mcafee.com
• my-etrust.com
• www.my-etrust.com
• download.mcafee.com
• dispatch.mcafee.com
• secure.nai.com
• nai.com
• www.nai.com
• update.symantec.com
• updates.symantec.com
• us.mcafee.com
• liveupdate.symantec.com
• customer.symantec.com
• rads.mcafee.com
• trendmicro.com
• www.trendmicro.com
• www.grisoft.com

Method of Infection

Method of Infection -

This file can get droped by trojans or worms like : W32/Polybot.gen!irc or W32/Gaobot.worm .

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A