McAfee > Theat Center > Virus Detail Page

Overview

QHosts-113 is a Trojan that modifies the windows hosts file denying access to security vendor websites by redirecting it to local host IP.

Aliases

• Trj/QHost.JE(Panda)

• Trojan.Noupd(DrWeb)

• Trojan.QHosts.AA(VirusBuster)

• Trojan.Win32.NoUpdate.b(Kaspersky)

Characteristics

Upon execution the Trojan modifies the hosts file at the location

%System%\ drivers\etc\hosts
Where = %System%\ = C:\WINDOWS\system32

The modified hosts file will contain a list of URLs redirected to local host IP 127.0.0.1

Often this is used to redirect the victims browsing to a specific website and prevent users from downloading updates.In this case it is redirecting all security vendor websites including their signature update sites to localhost there by denying the updates

The modified host file will be as below:

127.0.0.1 www.mcafee.com
127.0.0.1 www.symantec.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.my-etrust.com

Symptoms

Access denied to security vendor websites and their updates.

Method of Infection

Trojans do not self replicate.They are spread manually,distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

QHosts-113 is a Trojan that modifies the windows hosts file denying access to security vendor websites by redirecting it to local host IP.

Aliases

• Trj/QHost.JE(Panda)

• Trojan.Noupd(DrWeb)

• Trojan.QHosts.AA(VirusBuster)

• Trojan.Win32.NoUpdate.b(Kaspersky)

Characteristics

Characteristics -

Upon execution the Trojan modifies the hosts file at the location

%System%\ drivers\etc\hosts
Where = %System%\ = C:\WINDOWS\system32

The modified hosts file will contain a list of URLs redirected to local host IP 127.0.0.1

Often this is used to redirect the victims browsing to a specific website and prevent users from downloading updates.In this case it is redirecting all security vendor websites including their signature update sites to localhost there by denying the updates

The modified host file will be as below:

127.0.0.1 www.mcafee.com
127.0.0.1 www.symantec.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.my-etrust.com

Symptoms

Symptoms -

Access denied to security vendor websites and their updates.

Method of Infection

Method of Infection -

Trojans do not self replicate.They are spread manually,distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A