Content
Generic QHosts.b
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 11/10/2004
- Length
- various
- Minimum DAT
- 4406 (11/10/2004)
- Updated DAT
- 6513 (10/28/2011)
- Minimum Engine
- 5.4.00
- Description Added
- 11/10/2004
- Description Modified
- 03/25/2010 8:15 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update March 26, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://isc.sans.org/diary.html?storyid=8482
--
Update 03/24/2010:
Some new versions related to W32/KoobFace will modify the hosts file to point to:
85.13.206.114 haksjdi262fsf.com
85.13.206.114 uuu20091124.info
85.13.206.114 u07012010u.com
--------------------------------------------------
This is a generic detection for trojans that do modify the HOSTS file.
This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address.
Many trojans and worms are overwriting the HOSTS file with a modified version. The corrupted HOSTS file will contains a list of URLs redirected to invalid ip such as 255.255.255.255 or 127.0.0.1.
Often this is used to redirect the updater component of the antivirus software to an invalid address thous preventing signatures updates.
It can also be used to redirect the victim browsing to a specific website (a serach engine for example) to a fake version of the website (pharming)
Symptoms
Method of Infection
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
Characteristics
Characteristics -
-- Update March 26, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://isc.sans.org/diary.html?storyid=8482
--
Update 03/24/2010:
Some new versions related to W32/KoobFace will modify the hosts file to point to:
85.13.206.114 haksjdi262fsf.com
85.13.206.114 uuu20091124.info
85.13.206.114 u07012010u.com
--------------------------------------------------
This is a generic detection for trojans that do modify the HOSTS file.
This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address.
Many trojans and worms are overwriting the HOSTS file with a modified version. The corrupted HOSTS file will contains a list of URLs redirected to invalid ip such as 255.255.255.255 or 127.0.0.1.
Often this is used to redirect the updater component of the antivirus software to an invalid address thous preventing signatures updates.
It can also be used to redirect the victim browsing to a specific website (a serach engine for example) to a fake version of the website (pharming)
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants -
N/A