Trojan.Win32.Qhost.e

Celem tego trojana jest modyfikowanie mapowania nazw domen na adresy IP. Ma posta膰 pliku PE EXE o rozmiarze 2533 bajt贸w (kompresja FSG, rozmiar po rozpakowaniu - oko艂o 12KB). Powsta艂 w j臋zyku programowania C++.

Funkcje szkodnika

Trojan ten jest zmodyfikowanym plikiem Windows %System%driversetchosts, kt贸ry jest wykorzystywany do mapowania nazw domen (DNS) na adresy IP. Do pliku hosts dodawane s膮 nast臋puj膮ce ci膮gi:

127.0.0.1 http://downloads4.kaspersky-labs.com
127.0.0.1 http://downloads3.kaspersky-labs.com
127.0.0.1 http://downloads2.kaspersky-labs.com
127.0.0.1 http://downloads1.kaspersky-labs.com
127.0.0.1 ftp://downloads4.kaspersky-labs.com
127.0.0.1 ftp://downloads3.kaspersky-labs.com
127.0.0.1 ftp://downloads2.kaspersky-labs.com
127.0.0.1 ftp://downloads1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 rads.mcafee.com
127.0.0.1 http://www.secuser.com
127.0.0.1 a188.x.akamai.net
127.0.0.1 liveupdate.symantecliveupdate.com 
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantec.d4p.net
127.0.0.1 update.symantec.com 
127.0.0.1 ftp.nai.com
127.0.0.1 www.grisoft.cz
127.0.0.1 www.grisoft.com
127.0.0.1 free.grisoft.cz
127.0.0.1 tds.diamondcs.com.au
127.0.0.1 ieupdate.gdata.de
127.0.0.1 ieupdate6.gdata.de
127.0.0.1 ieupdate5.gdata.de
127.0.0.1 ieupdate4.gdata.de
127.0.0.1 ieupdate3.gdata.de
127.0.0.1 ieupdate2.gdata.de
127.0.0.1 ieupdate1.gdata.de
127.0.0.1 www.iavs.cz
127.0.0.1 download7.avast.com
127.0.0.1 download6.avast.com
127.0.0.1 download5.avast.com
127.0.0.1 download4.avast.com
127.0.0.1 download3.avast.com
127.0.0.1 download2.avast.com
127.0.0.1 download1.avast.com
127.0.0.1 upgrade.bitdefender.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.lavasoftusa.com
127.0.0.1 www.a-2.org
127.0.0.1 updates.a-2.org
127.0.0.1 niuone.norman.no
127.0.0.1 www.diamondcs.com.au
127.0.0.1 www.attechnical.com
127.0.0.1 www.zeylstra.nl
127.0.0.1 fractus.mat.uson.mx
127.0.0.1 www.toonbox.de
127.0.0.1 radius.turvamies.com
127.0.0.1 diamondcs.fileburst.com
127.0.0.1 downloads.My-eTrust.com
127.0.0.1 acs.pandasoftware.com
127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 v5.windowsupdate.microsoft.com
127.0.0.1 www.NoAdware.net
127.0.0.1 www.nod32.com
127.0.0.1 www.eset.sk
127.0.0.1 avu.zonelabs.com
127.0.0.1 retail.sp.f-secure.com
127.0.0.1 retail01.sp.f-secure.com
127.0.0.1 retail02.sp.f-secure.com
127.0.0.1 www.moosoft.com
127.0.0.1 secuser.model-fx.com
127.0.0.1 secuser.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 pccreg.antivirus.com
127.0.0.1 dl1.antivir.de
127.0.0.1 dl2.antivir.de
127.0.0.1 dl3.antivir.de
127.0.0.1 dl4.antivir.de
193.125.23.12 updates.sald.com
127.0.0.1 secuser.model-fx.com
127.0.0.1 secuser.com
127.0.0.1 www.secuser.com
127.0.0.1 www.k-otik.com
127.0.0.1 www.megasecurity.org
127.0.0.1 www.symantec.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 fr.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 antivirus.cai.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sophos.com
127.0.0.1 www.securitoo.com
127.0.0.1 www.Kaspersky-FR.com
127.0.0.1 www.Kaspersky.com
127.0.0.1 my-etrust.com
127.0.0.1 www.avgfrance.com
127.0.0.1 www.antivirus-online.de
127.0.0.1 www.gietl.com/test-clamav/
127.0.0.1 ftp.esafe.com
127.0.0.1 ftp.microworldsystems.com
127.0.0.1 ftp.europe.f-secure.com
127.0.0.1 ftp.ca.co
127.0.0.1 ftp.symantec.com
127.0.0.1 files.trendmicro-europe.com
127.0.0.1 akamai.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.inline-software.de
127.0.0.1 www.norman.com
127.0.0.1 www.ravantivirus.com
127.0.0.1 www.f-prot.com
127.0.0.1 www.drsolomon.com
127.0.0.1 www.avast.com
127.0.0.1 www.vsantivirus.com
127.0.0.1 www.openantivirus.org
127.0.0.1 www.bitdefender.com
127.0.0.1 www.pandasoftware.es
127.0.0.1 www3.ca.com
127.0.0.1 us.mcafee.com
127.0.0.1 security.symantec.com
127.0.0.1 www.dialognauka.ru
127.0.0.1 www.viguard.com
127.0.0.1 www.free-av.com
127.0.0.1 www.nod32.lu
127.0.0.1 www.zonelabs.fr
127.0.0.1 www.anti-virus-software-review.com
127.0.0.1 symantec.com
127.0.0.1 www.vet.com.au
127.0.0.1 www.eicar.org
127.0.0.1 www.avp.ch
127.0.0.1 anti-virus.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.bitdefender.fr
127.0.0.1 securityresponse.symantec.com
127.0.0.1 microsoft.fr
127.0.0.1 microsoft.com
127.0.0.1 www.trendmicro.fr
127.0.0.1 fr.bitdefender.com
127.0.0.1 www.sophos.fr
127.0.0.1 www.emsisoft.net/fr
127.0.0.1 www.nsclean.com
127.0.0.1 www.antiviraldp.com
127.0.0.1 www.pestpatrol.com
127.0.0.1 www.agnitum.com
127.0.0.1 www.simplysup.com
127.0.0.1 www.misec.net
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nod32.nl/_en
127.0.0.1 www.centralcommand.com
127.0.0.1 www1.my-etrust.com
127.0.0.1 www.authentium.com
127.0.0.1 www.bitdefender.secyber.net/BITDEFENDER/index.html
127.0.0.1 www.finjan.com
127.0.0.1 www.fmsinc.com/free/utilities/fmsavs10.htm
127.0.0.1 www.psnw.com
127.0.0.1 www.gwava.nl
127.0.0.1 www.gecadsoftware.com
127.0.0.1 www.nai.com
127.0.0.1 www.ikarus-software.at/portal/index.php
127.0.0.1 www.pspl.com
127.0.0.1 www.safetynet.com
127.0.0.1 www.stiller.com
127.0.0.1 www.sybari.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.wildlist.com
127.0.0.1 www.mcaffee.com/anti-virus/virusmap.asp
127.0.0.1 www.mcaffee.com
127.0.0.1 www.blackice.iss.net
127.0.0.1 www.ccsoftware.ca/8signs 
127.0.0.1 www.deerfield.com
127.0.0.1 www.kerio.com 
127.0.0.1 www.looknstop.com 
127.0.0.1 www.mcafee-at-home.com 
127.0.0.1 www.sygate.com 
127.0.0.1 www.tinysoftware.com 
127.0.0.1 www.visualizesoftware.com 
127.0.0.1 www.kerio.com 
127.0.0.1 www.zonelabs.com 
127.0.0.1 www.zonelog.co.uk 
127.0.0.1 www.safer-networking.org 
127.0.0.1 www.webroot.com 
127.0.0.1 www.lavasoft.nu 
127.0.0.1 www.spywareguide.com
127.0.0.1 www.aluriasoftware.com 
127.0.0.1 www.pestpatrol.com 
127.0.0.1 www.spyblocker-software.com
127.0.0.1 www.spycop.com 
127.0.0.1 www.spywareguide.com
127.0.0.1 www.javacoolsoftware.com
127.0.0.1 www.wilderssecurity.net
127.0.0.1 www.trapware.com
127.0.0.1 www.winpatrol.com
127.0.0.1 www.liutilities.com
127.0.0.1 www.x-cleaner.com
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 shop.symantec.com
127.0.0.1 dispatch.mcafee.com/us
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 mast.mcafee.com
127.0.0.1 nai.com/us/index.asp
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com/us/index.asp
127.0.0.1 sophos.com
127.0.0.1 www.kaspersky.co.uk
127.0.0.1 kaspersky.co.uk
127.0.0.1 www.housecall.com
127.0.0.1 housecall.com

Modyfikacje pliku %System%driversetchosts uniemo偶liwiaj膮 uzyskanie dost臋pu do wymienionych wy偶ej zasob贸w z zaatakowanej maszyny.

Usuwanie szkodnika z zainfekowanego systemu

Je艣li oprogramowanie antywirusowe zainstalowane na twoim komputerze nie jest aktualne lub nie korzystasz z 偶adnego rozwi膮zania antywirusowego, w celu usuni臋cia szkodnika z zainfekowanego systemu wykonaj nast臋puj膮ce operacje:

  1. Usu艅 oryginalny plik trojana (lokalizacja b臋dzie zale偶a艂a od sposobu przenikni臋cia programu do zaatakowanego komputera).
  2. Zmodyfikuj plik %System%driversetchosts przy u偶yciu standardowej aplikacji (np. Notepad). Usu艅 ci膮gi dodane przez trojana. Oryginalny plik hosts posiada nast臋puj膮c膮 zawarto艣膰:
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    
    127.0.0.1       localhost
    
  3. Uaktualnij sygnatury zagro偶e艅 i wykonaj pe艂ne skanowanie komputera (w tym celu mo偶na pobra膰 darmow膮 wersj臋 testow膮 oprogramowania Kaspersky Anti-Virus).
QHosts-14 (McAfee),   Trojan.Qhosts (Symantec),   Trojan.Noupd (Doctor Web),   Troj/Hosts-C (Sophos),   TROJ_QHOST.B (Trend Micro),   TR/Qhost.E (H+BEDV),   Win32:Qhost-E (ALWIL),   Trojan.Qhost.E (SOFTWIN),   Trojan.Qhost.G (ClamAV),   Win32/Qhost.E (Eset)