Win32/Qhost [Threat Name] go to Threat

Win32/Qhost.PEV [Threat Variant Name]

Category trojan
Size 952336 B
Aliases Trojan-Dropper.Win32.Delf.kwj (Kaspersky)
  Trojan:Win32/Sulunch.A (Microsoft)
  GenericPWS.y!dxz.trojan (McAfee)
Short description

Win32/Qhost.PEV is a trojan that changes the home page of certain web browsers.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­msnmsgr.exe

The trojan creates the following file:

  • %system%\­drivers\­vvuacult.exe (501760 B, Win32/Qhost.PEV)

The file is then executed.


The trojan creates the following file:

  • %startup%\­Windows Live Messenger.lnk

The file is a shortcut to a malicious file.


This causes the trojan to be executed on every system start.

Other information

The trojan changes the home page of the following web browsers:

  • Internet Explorer
  • Mozilla Firefox

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Silverlight Plugin]
    • "CheckSilverlight" = 1
  • [HKEY_CURENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "www.google.com.tr"
    • "Search Page" = "www.google.com.tr"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­TabbedBrowsing]
    • "NewTabPageShow" = 0
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Internet Explorer\­Control Panel]
    • "Homepage" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden]
    • "type" = "-"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 0
  • [HKEY_LOCAL_MACHINE\­software\­microsoft\­windows\­currentversion\­policies\­system]
    • "EnableLUA" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Attachments]
    • "SaveZoneInformation" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Associations]
    • "LowRiskFileTypes" = ".exe"

The trojan modifies the following file:

  • %system%\­drivers\­etc\­hosts

The trojan writes the following entries to the file:

  • 188.120.254.196 google.com.tr
  • 188.120.254.196 www.google.com.tr

The trojan modifies the following file:

  • %appdata%\­Mozilla\­%profile%\­prefs.js

The trojan writes the following entries to the file:

  • user_pref("browser.startup.homepage", "www.google.com.tr")

The trojan can open the following URLs:

  • http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.asp

The trojan displays the following picture:

Please enable Javascript to ensure correct displaying of this content and refresh this page.