Win32/Qhost [Threat Name] go to Threat

Win32/Qhost.PDQ [Threat Variant Name]

Category trojan
Size 65536 B
Detection created Apr 13, 2011
Detection database version 6039
Aliases IM-Worm.Win32.Yahos.qe (Kaspersky)
  TrojanDropper:Win32/Finkmilt.A (Microsoft)
  Trojan.PWS.Banker.53079 (Dr.Web)
Short description

Win32/Qhost.PDQ is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %windir%\­sgope.sys
  • %system%\­drivers\­etc\­host5

The trojan registers itself as a system service using the following name:

  • mkdrv

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­mkdrv]
    • "Type" = 1
    • "Start" = 1
    • "ImagePath" = "%windir%\­sgope.sys"
    • "DisplayName" = "mkdrv"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_MKDRV]

This way the trojan ensures that the file is executed on every system start.

Other information

Win32/Qhost.PDQ is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.


The trojan may create the following files:

  • %windir%\­sdel.bat
  • %windir%\­ldr.dll

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "rundll32.exe" = "rundll32.exe ldr.dll,Prkt"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Timer]
    • "Count"

The trojan may perform operating system restart.


The trojan hooks the following Windows APIs:

  • NtQueryDirectoryFile (ntdll.dll)
  • NtCreateFile (ntdll.dll)
  • NtOpenFile (ntdll.dll)
  • NtQuerySystemInformation (ntdll.dll)
  • ZwQueryKey (ntdll.dll)
  • ZwEnumerateValueKey (ntdll.dll)
  • ZwEnumerateKey (ntdll.dll)

The trojan hides files which contain one of the following strings in their name:

  • host5
  • hst.exe
  • ldr.dll
  • sgope.sys

The trojan hides processes which contain one of the following strings in their name:

  • hst.exe

The trojan hides Registry entries which contain one of the following strings in their name:

  • LEGACY_MKDRV

Trojan blocks the opening of files with the following extensions:

  • .lzma
  • .lst
  • .avl
  • .vdf.gz
  • .info.gz
  • .info
  • .klz
  • .ver

The trojan can modify the following file:

  • %system%\­drivers\­etc\­hosts

The trojan writes the following entries to the file:

  • 76.76.116.123   www.telebank.ru
  • 76.76.116.123   telebank.ru
  • 76.76.116.123   www.alfabank.ru
  • 76.76.116.123   alfabank.ru
  • 76.76.116.126   click.alfabank.ru
  • 76.76.116.124   sbrf.ru
  • 76.76.116.124   www.sbrf.ru
  • 76.76.116.124   www.esk.sbrf.ru
  • 76.76.116.124   esk.sbrf.ru
  • 76.76.116.126   www.click.alfabank.ru

Please enable Javascript to ensure correct displaying of this content and refresh this page.