BAT/Qhost [Threat Name] go to Threat

BAT/Qhost.NHI [Threat Variant Name]

Category trojan
Size 22016 B
Aliases Trojan-Banker.BAT.Qhost.s (Kaspersky)
  TrojanDropper:Win32/Banker.C (Microsoft)
  Trojan.MulDrop1.45260 (Dr.Web)
Short description

BAT/Qhost.NHI is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.

Installation

The trojan does not create any copies of itself.


The trojan creates the following file:

  • %temp%\­%random%\­left.bat (3098 B)

A string with variable content is used instead of %random% .


The file is then executed.

Other information

BAT/Qhost.NHI is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.


The trojan modifies the following file:

  • %system%\­drivers\­etc\­hosts

The trojan writes the following entries to the file:

  • 208.109.189.38 www.banestes.com.br
  • 208.109.189.38 banestes.com.br
  • 208.109.189.38 www.checktudo.com
  • 208.109.189.38 checktudo.com
  • 208.109.189.38 www.credicard.com.br
  • 208.109.189.38 credicard.com.br
  • 208.109.189.38 www.pagamentodigital.com.br
  • 208.109.189.38 pagamentodigital.com.br
  • 208.109.189.38 www.pagamentodigital.com
  • 208.109.189.38 pagamentodigital.com
  • 208.109.189.38 www.pagseguro.com.br
  • 208.109.189.38 pagseguro.com.br
  • 208.109.189.38 www.pagseguro.com
  • 208.109.189.38 pagseguro.com
  • 208.109.189.38 www.paypal.com.br
  • 208.109.189.38 paypal.com.br
  • 208.109.189.38 www.paypal.com
  • 208.109.189.38 paypal.com
  • 208.109.189.38 www.bradesco.com.br
  • 208.109.189.38 bradesco.com.br
  • 208.109.189.38 www.banrisul.com.br
  • 208.109.189.38 banrisul.com.br
  • 208.109.189.38 www.americanexpress.com.br
  • 208.109.189.38 americanexpress.com.br
  • 208.109.189.38 www.serasa.com.br
  • 208.109.189.38 serasa.com.br
  • 208.109.189.38 www.serasaexperian.com.br
  • 208.109.189.38 serasaexperian.com.br
  • 208.109.189.38 www.spcbrasil.org.br
  • 208.109.189.38 spcbrasil.org.br
  • 208.109.189.38 www.santander.com.br
  • 208.109.189.38 santander.com.br
  • 208.109.189.38 www.itau.com.br
  • 208.109.189.38 itau.com.br
  • 208.109.189.38 www.hotmail.com
  • 208.109.189.38 hotmail.com
  • 208.109.189.38 www.hotmail.com.br
  • 208.109.189.38 hotmail.com.br

The trojan opens the following URLs in Internet Explorer :

  • http://www.china-anxitea.com/Desktop/Autostart/inc/.xpt/msn.php

The following files are deleted:

  • %temp%\­%random%\­left.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.