Win32/Qhost [Threat Name] go to Threat
Win32/Qhost.PDQ [Threat Variant Name]
Category | trojan |
Size | 65536 B |
Aliases | IM-Worm.Win32.Yahos.qe (Kaspersky) |
TrojanDropper:Win32/Finkmilt.A (Microsoft) | |
Trojan.PWS.Banker.53079 (Dr.Web) |
Short description
Win32/Qhost.PDQ is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses. It uses techniques common for rootkits.
Installation
When executed, the trojan creates the following files:
- %windir%\sgope.sys
- %system%\drivers\etc\host5
The trojan registers itself as a system service using the following name:
- mkdrv
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mkdrv]
- "Type" = 1
- "Start" = 1
- "ImagePath" = "%windir%\sgope.sys"
- "DisplayName" = "mkdrv"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MKDRV]
This way the trojan ensures that the file is executed on every system start.
Other information
Win32/Qhost.PDQ is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.
The trojan may create the following files:
- %windir%\sdel.bat
- %windir%\ldr.dll
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "rundll32.exe" = "rundll32.exe ldr.dll,Prkt"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Timer]
- "Count"
The trojan may perform operating system restart.
The trojan hooks the following Windows APIs:
- NtQueryDirectoryFile (ntdll.dll)
- NtCreateFile (ntdll.dll)
- NtOpenFile (ntdll.dll)
- NtQuerySystemInformation (ntdll.dll)
- ZwQueryKey (ntdll.dll)
- ZwEnumerateValueKey (ntdll.dll)
- ZwEnumerateKey (ntdll.dll)
The trojan hides files which contain one of the following strings in their name:
- host5
- hst.exe
- ldr.dll
- sgope.sys
The trojan hides processes which contain one of the following strings in their name:
- hst.exe
The trojan hides Registry entries which contain one of the following strings in their name:
- LEGACY_MKDRV
Trojan blocks the opening of files with the following extensions:
- .lzma
- .lst
- .avl
- .vdf.gz
- .info.gz
- .info
- .klz
- .ver
The trojan can modify the following file:
- %system%\drivers\etc\hosts
The trojan writes the following entries to the file:
- 76.76.116.123 www.telebank.ru
- 76.76.116.123 telebank.ru
- 76.76.116.123 www.alfabank.ru
- 76.76.116.123 alfabank.ru
- 76.76.116.126 click.alfabank.ru
- 76.76.116.124 sbrf.ru
- 76.76.116.124 www.sbrf.ru
- 76.76.116.124 www.esk.sbrf.ru
- 76.76.116.124 esk.sbrf.ru
- 76.76.116.126 www.click.alfabank.ru