Win32/Qhost [Threat Name] go to Threat

Win32/Qhost.PEV [Threat Variant Name]

Category	trojan
Size	952336 B
Aliases	Trojan-Dropper.Win32.Delf.kwj (Kaspersky)
	Trojan:Win32/Sulunch.A (Microsoft)
	GenericPWS.y!dxz.trojan (McAfee)

Win32/Qhost.PEV is a trojan that changes the home page of certain web browsers.

When executed, the trojan copies itself into the following location:

The trojan creates the following file:

The file is then executed.

The trojan creates the following file:

The file is a shortcut to a malicious file.

This causes the trojan to be executed on every system start.

The trojan changes the home page of the following web browsers:

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Silverlight Plugin]
- "CheckSilverlight" = 1
[HKEY_CURENT_USER\Software\Microsoft\Internet Explorer\Main]
- "Start Page" = "www.google.com.tr"
- "Search Page" = "www.google.com.tr"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing]
- "NewTabPageShow" = 0
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
- "Homepage" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
- "type" = "-"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 0
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
- "EnableLUA" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
- "SaveZoneInformation" = 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
- "LowRiskFileTypes" = ".exe"

The trojan modifies the following file:

The trojan writes the following entries to the file:

The trojan modifies the following file:

The trojan writes the following entries to the file:

The trojan can open the following URLs:

The trojan displays the following picture: