Win32/Qhost [Threat Name] go to Threat

Win32/Qhost.ZR [Threat Variant Name]

Category trojan
Size 7680 B
Aliases Trojan.Win32.Qhost.ww (Kaspersky)
  Trojan:Win32/Wantvi.A (Microsoft)
  Trojan.SpamThru (Symantec)
Short description

Win32/Qhost.ZR is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses. The trojan displays fake warnings about threats detected on the compromised computer that need to be removed. The file is run-time compressed using UPX .

Installation

When executed the trojan copies itself in the following locations:

  • %system%\­winter.exe
  • %system%\­proper.exe
  • %startup%\­infos.exe
  • %commonstartup%\­autos.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Undefined" = "%system%\­winter.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Undefined" = "%system%\­winter.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe proper.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
    • "DisableTaskMgr" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
    • "DisableTaskMgr" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "EnableBalloonTips" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "EnableBalloonTips" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoControlPanel" = 1
    • "NoWindowsUpdate" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoControlPanel" = 1
    • "NoWindowsUpdate" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Policies\­Microsoft\­Windows\­WindowsUpdate\­AU]
    • "NoAutoUpdate" = 1
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­windows\­Windows Update]
    • "NoAutoUpdate" = 1
    • "NoWindowsUpdate" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1200" = 0
    • "1201" = 0
    • "1208" = 0
    • "1608" = 0
    • "1804" = 0
    • "2500" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1200" = 0
    • "1201" = 0
    • "1208" = 0
    • "1608" = 0
    • "1804" = 0
    • "2500" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1200" = 0
    • "1201" = 0
    • "1208" = 0
    • "1608" = 0
    • "1804" = 0
    • "2500" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1200" = 0
    • "1201" = 0
    • "1208" = 0
    • "1608" = 0
    • "1804" = 0
    • "2500" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Search Bar" = "http://www.google.com/ie"
    • "Search Page" = "http://www.google.com"
    • "Start Page" = "http://www.google.com"
    • "Enable Browser Extensions" = "Yes"
    • "ShowedCheckBrowser" = "Yes"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Default_Search_URL" = "http://www.google.com/ie"
    • "Search Page" = "http://www.google.com"
    • "Start Page"  = "http://www.google.com"
    • "Enable Browser Extensions" = "Yes"
    • "ShowedCheckBrowser" = "Yes"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{D27987B8-7244-4DE0-AE10-39B826B492F1}\­InprocServer32]
    • "(Default)" = "%system%\­bronto.dll"
    • "ThreadingModel" = "Apartment"
    • "Enable Browser Extensions" = "yes"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{D27987B8-7244-4DE0-AE10-39B826B492F1}]
  • [HKEY_CLASSES_ROOT\­http\­shell\­open\­command]
    • "(Default)" = "%internetexplorerpath%"
  • [HKEY_CLASSES_ROOT\­ftp\­shell\­open\­command]
    • "(Default)" = "%internetexplorerpath%"
  • [HKEY_CLASSES_ROOT\­gopher\­shell\­open\­command]
    • "(Default)" = "%internetexplorerpath%"
  • [HKEY_CLASSES_ROOT\­https\­shell\­open\­command]
    • "(Default)" = "%internetexplorerpath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­.shtml]
    • "(Default)" = "htmlfile"
  • [HKEY_CLASSES_ROOT\­.html]
    • "(Default)" = "htmlfile"
  • [HKEY_CLASSES_ROOT\­.htm]
    • "(Default)" = "htmlfile"
  • [HKEY_CLASSES_ROOT\­.shtml]
    • "(Default)" = "htmlfile"
  • [HKEY_CLASSES_ROOT\­.xht]
    • "(Default)" = "htmlfile"
  • [HKEY_CLASSES_ROOT\­.xhtml]
    • "(Default)" = "htmlfile"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­DomainProfile\­AuthorizedApplications\­List]
    • "%system%\­winav.exe" = "%system%\­winav.exe:*:Enabled:@xpsp2res.dll,-22019"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%%system%\­winav.exe" = "%system%\­winav.exe:*:Enabled:@xpsp2res.dll,-22019"
Other information

The trojan displays fake warnings about threats detected on the compromised computer that need to be removed.

The trojan opens the following URLs in Internet Explorer :

  • http://gomyhit.com/MTc3MTY=/2/6018/786/

Win32/Qhost.ZR is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.


The trojan modifies the following file:

  • %system%\­drivers\­etc\­hosts

The trojan writes the following entries to the file:

  • 192.168.200.3 ad.doubleclick.net
  • 192.168.200.3 ad.fastclick.net
  • 192.168.200.3 ads.fastclick.net
  • 192.168.200.3 ar.atwola.com
  • 192.168.200.3 atdmt.com
  • 192.168.200.3 avp.ch
  • 192.168.200.3 avp.com
  • 192.168.200.3 avp.ru
  • 192.168.200.3 awaps.net
  • 192.168.200.3 banner.fastclick.net
  • 192.168.200.3 banners.fastclick.net
  • 192.168.200.3 ca.com
  • 192.168.200.3 click.atdmt.com
  • 192.168.200.3 clicks.atdmt.com
  • 192.168.200.3 customer.symantec.com
  • 192.168.200.3 dispatch.mcafee.com
  • 192.168.200.3 download.mcafee.com
  • 192.168.200.3 download.microsoft.com
  • 192.168.200.3 downloads-us1.kaspersky-labs.com
  • 192.168.200.3 downloads-us2.kaspersky-labs.com
  • 192.168.200.3 downloads-us3.kaspersky-labs.com
  • 192.168.200.3 downloads.microsoft.com
  • 192.168.200.3 downloads1.kaspersky-labs.com
  • 192.168.200.3 downloads2.kaspersky-labs.com
  • 192.168.200.3 downloads3.kaspersky-labs.com
  • 192.168.200.3 downloads4.kaspersky-labs.com
  • 192.168.200.3 engine.awaps.net
  • 192.168.200.3 f-secure.com
  • 192.168.200.3 fastclick.net
  • 192.168.200.3 ftp.avp.ch
  • 192.168.200.3 ftp.downloads1.kaspersky-labs.com
  • 192.168.200.3 ftp.downloads2.kaspersky-labs.com
  • 192.168.200.3 ftp.downloads3.kaspersky-labs.com
  • 192.168.200.3 ftp.f-secure.com
  • 192.168.200.3 ftp.kasperskylab.ru
  • 192.168.200.3 ftp.sophos.com
  • 192.168.200.3 go.microsoft.com
  • 192.168.200.3 ids.kaspersky-labs.com
  • 192.168.200.3 kaspersky-labs.com
  • 192.168.200.3 kaspersky.com
  • 192.168.200.3 liveupdate.symantec.com
  • 192.168.200.3 liveupdate.symantecliveupdate.com
  • 192.168.200.3 mast.mcafee.com
  • 192.168.200.3 mcafee.com
  • 192.168.200.3 media.fastclick.net
  • 192.168.200.3 microsoft.com
  • 192.168.200.3 msdn.microsoft.com
  • 192.168.200.3 my-etrust.com
  • 192.168.200.3 nai.com
  • 192.168.200.3 networkassociates.com
  • 192.168.200.3 norton.com
  • 192.168.200.3 office.microsoft.com
  • 192.168.200.3 pandasoftware.com
  • 192.168.200.3 phx.corporate-ir.net
  • 192.168.200.3 rads.mcafee.com
  • 192.168.200.3 secure.nai.com
  • 192.168.200.3 securityresponse.symantec.com
  • 192.168.200.3 service1.symantec.com
  • 192.168.200.3 sophos.com
  • 192.168.200.3 spd.atdmt.com
  • 192.168.200.3 support.microsoft.com
  • 192.168.200.3 symantec.com
  • 192.168.200.3 trendmicro.com
  • 192.168.200.3 update.symantec.com
  • 192.168.200.3 updates.symantec.com
  • 192.168.200.3 updates1.kaspersky-labs.com
  • 192.168.200.3 updates2.kaspersky-labs.com
  • 192.168.200.3 updates3.kaspersky-labs.com
  • 192.168.200.3 updates4.kaspersky-labs.com
  • 192.168.200.3 updates5.kaspersky-labs.com
  • 192.168.200.3 us.mcafee.com
  • 192.168.200.3 vil.nai.com
  • 192.168.200.3 viruslist.com
  • 192.168.200.3 viruslist.ru
  • 192.168.200.3 virusscan.jotti.org
  • 192.168.200.3 virustotal.com
  • 192.168.200.3 windowsupdate.microsoft.com
  • 192.168.200.3 www.avp.ch
  • 192.168.200.3 www.avp.com
  • 192.168.200.3 www.avp.ru
  • 192.168.200.3 www.awaps.net
  • 192.168.200.3 www.ca.com
  • 192.168.200.3 www.f-secure.com
  • 192.168.200.3 www.fastclick.net
  • 192.168.200.3 www.grisoft.com
  • 192.168.200.3 www.kaspersky-labs.com
  • 192.168.200.3 www.kaspersky.com
  • 192.168.200.3 www.kaspersky.ru
  • 192.168.200.3 www.mcafee.com
  • 192.168.200.3 www.microsoft.com
  • 192.168.200.3 www.my-etrust.com
  • 192.168.200.3 www.nai.com
  • 192.168.200.3 www.networkassociates.com
  • 192.168.200.3 www.pandasoftware.com
  • 192.168.200.3 www.sophos.com
  • 192.168.200.3 www.symantec.com
  • 192.168.200.3 www.trendmicro.com
  • 192.168.200.3 www.viruslist.com
  • 192.168.200.3 www.viruslist.ru
  • 192.168.200.3 www.virustotal.com
  • 192.168.200.3 www3.ca.com

This way the trojan blocks access to specific websites.

Please enable Javascript to ensure correct displaying of this content and refresh this page.