Win32/Qhost [Threat Name] go to Threat
Win32/Qhost.PEV [Threat Variant Name]
Category | trojan |
Size | 952336 B |
Aliases | Trojan-Dropper.Win32.Delf.kwj (Kaspersky) |
Trojan:Win32/Sulunch.A (Microsoft) | |
GenericPWS.y!dxz.trojan (McAfee) |
Short description
Win32/Qhost.PEV is a trojan that changes the home page of certain web browsers.
Installation
When executed, the trojan copies itself into the following location:
- %system%\msnmsgr.exe
The trojan creates the following file:
- %system%\drivers\vvuacult.exe (501760 B, Win32/Qhost.PEV)
The file is then executed.
The trojan creates the following file:
- %startup%\Windows Live Messenger.lnk
The file is a shortcut to a malicious file.
This causes the trojan to be executed on every system start.
Other information
The trojan changes the home page of the following web browsers:
- Internet Explorer
- Mozilla Firefox
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Silverlight Plugin]
- "CheckSilverlight" = 1
- [HKEY_CURENT_USER\Software\Microsoft\Internet Explorer\Main]
- "Start Page" = "www.google.com.tr"
- "Search Page" = "www.google.com.tr"
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing]
- "NewTabPageShow" = 0
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
- "Homepage" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
- "type" = "-"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 0
- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
- "EnableLUA" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
- "SaveZoneInformation" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
- "LowRiskFileTypes" = ".exe"
The trojan modifies the following file:
- %system%\drivers\etc\hosts
The trojan writes the following entries to the file:
- 188.120.254.196 google.com.tr
- 188.120.254.196 www.google.com.tr
The trojan modifies the following file:
- %appdata%\Mozilla\%profile%\prefs.js
The trojan writes the following entries to the file:
- user_pref("browser.startup.homepage", "www.google.com.tr")
The trojan can open the following URLs:
- http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.asp
The trojan displays the following picture: