Trojan.Win32.Qhost.nrq

Technical Details
Payload
Removal instructions

Technical Details

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 54 784 bytes in size. It is packed using UPX. The unpacked file is approximately 149 KB in size. It is written in C++.

Payload

Once launched, the Trojan copies the original file:

%System%\drivers\etc\hosts

to the file:

%System%\hosts

Then, the Trojan modifies the original "hosts" file by adding the following strings to it:

62.***.98       ag.ru
62.***.98       www.ag.ru
62.***.98       ask.com
62.***.98       www.ask.com
62.***.98       auto.ru
62.***.98       www.auto.ru
62.***.98       avito.ru
62.***.98       www.avito.ru
62.***.98       bing.com
62.***.98       www.bing.com
62.***.98       blogger.com
62.***.98       www.blogger.com
62.***.98       championat.ru
62.***.98       www.championat.ru
62.***.98       community.livejournal.com
62.***.98       www.community.livejournal.com
62.***.98       depositfiles.com
62.***.98       www.depositfiles.com
62.***.98       diary.ru
62.***.98       www.diary.ru
62.***.98       drweb.com
62.***.98       www.drweb.com
62.***.98       en.wikipedia.org
62.***.98       www.en.wikipedia.org
62.***.98       esetnod32.ru
62.***.98       www.esetnod32.ru
62.***.98       facebook.com
62.***.98       www.facebook.com
62.***.98       fastpic.ru
62.***.98       www.fastpic.ru
62.***.98       fishki.net
62.***.98       www.fishki.net
62.***.98       games.rambler.ru
62.***.98       www.games.rambler.ru
62.***.98       gazeta.ru
62.***.98       www.gazeta.ru
62.***.98       gismeteo.ru
62.***.98       www.gismeteo.ru
62.***.98       google.com
62.***.98       www.google.com
62.***.98       google.ru
62.***.98       www.google.ru
62.***.98       habrahabr.ru
62.***.98       www.habrahabr.ru
62.***.98       hh.ru
62.***.98       www.hh.ru
62.***.98       ifolder.ru
62.***.98       www.ifolder.ru
62.***.98       kaspersky.ru
62.***.98       www.kaspersky.ru
62.***.98       kinopoisk.ru
62.***.98       www.kinopoisk.ru
62.***.98       kinozal.tv
62.***.98       www.kinozal.tv
62.***.98       kp.ru
62.***.98       www.kp.ru
62.***.98       lenta.ru
62.***.98       www.lenta.ru
62.***.98       letitbit.net
62.***.98       www.letitbit.net
62.***.98       live.com
62.***.98       www.live.com
62.***.98       liveinternet.ru
62.***.98       www.liveinternet.ru
62.***.98       livejournal.com
62.***.98       www.livejournal.com
62.***.98       loveplanet.ru
62.***.98       www.loveplanet.ru
62.***.98       love.rambler.ru
62.***.98       www.love.rambler.ru
62.***.98       mail.rambler.ru
62.***.98       www.mail.rambler.ru
62.***.98       mamba.ru
62.***.98       www.mamba.ru
62.***.98       marketgid.com
62.***.98       www.marketgid.com
62.***.98       mirtesen.ru
62.***.98       www.mirtesen.ru
62.***.98       mozilla.com
62.***.98       www.mozilla.com
62.***.98       msn.com
62.***.98       www.msn.com
62.***.98       narod.ru
62.***.98       www.narod.ru
62.***.98       newsru.com
62.***.98       www.newsru.com
62.***.98       nova.rambler.ru
62.***.98       www.nova.rambler.ru
62.***.98       odnoklasniki.ru
62.***.98       www.odnoklasniki.ru
62.***.98       odnoklassniki.ru
62.***.98       www.odnoklassniki.ru
62.***.98       ozon.ru
62.***.98       www.ozon.ru
62.***.98       playground.ru
62.***.98       www.playground.ru
62.***.98       pornolab.net
62.***.98       www.pornolab.net
62.***.98       privet.ru
62.***.98       www.privet.ru
62.***.98       qip.ru
62.***.98       www.qip.ru
62.***.98       radikal.ru
62.***.98       www.radikal.ru
62.***.98       rambler.ru
62.***.98       www.rambler.ru
62.***.98       rapidshare.com
62.***.98       www.rapidshare.com
62.***.98       rbc.ru
62.***.98       www.rbc.ru
62.***.98       rian.ru
62.***.98       www.rian.ru
62.***.98       rutracker.org
62.***.98       www.rutracker.org
62.***.98       rutube.ru
62.***.98       www.rutube.ru
62.***.98       ru.wikipedia.org
62.***.98       www.ru.wikipedia.org
62.***.98       smscost.ru
62.***.98       www.smscost.ru
62.***.98       sms-price.ru
62.***.98       www.sms-price.ru
62.***.98       tfile.ru
62.***.98       www.tfile.ru
62.***.98       torrentdownloads.net
62.***.98       www.torrentdownloads.net
62.***.98       turbobit.net
62.***.98       www.turbobit.net
62.***.98       twitter.com
62.***.98       www.twitter.com
62.***.98       vesti.ru
62.***.98       www.vesti.ru
62.***.98       vip-file.com
62.***.98       www.vip-file.com
62.***.98       vk.com
62.***.98       www.vk.com
62.***.98       vkontakte.ru
62.***.98       www.vkontakte.ru
62.***.98       wordpress.com
62.***.98       www.wordpress.com
62.***.98       yahoo.com
62.***.98       www.yahoo.com
62.***.98       yandex.net
62.***.98       www.yandex.net
62.***.98       yandex.ru
62.***.98       www.yandex.ru
62.***.98       ya.ru
62.***.98       www.ya.ru
62.***.98       youtube.com
62.***.98       www.youtube.com
62.***.98       zaycev.net
62.***.98       www.zaycev.net
62.***.98       kav.ru
62.***.98       www.kav.ru
62.***.98       kaspersky.ru
62.***.98       www.kaspersky.ru
62.***.98       esetnod32.ru
62.***.98       www.esetnod32.ru
62.***.98       eset.com
62.***.98       www.eset.com
62.***.98       drweb.com
62.***.98       www.drweb.com
62.***.98       freedrweb.com
62.***.98       www.freedrweb.com
62.***.98       download.drweb.com
62.***.98       www.download.drweb.com
62.***.98       free-av.com
62.***.98       www.free-av.com
62.***.98       symantec.com
62.***.98       www.symantec.com
62.***.98       pandasecurity.com
62.***.98       www.pandasecurity.com

Thereby, when users attempt to reference the specified resources, they will be redirected to the address:

62.***.98

The Trojan then ceases running.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Replace the file:

   %System%\drivers\etc\hosts

   with the following file:

   %System%\hosts

2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).