Trojan.Win32.Qhost.hl

Technical Details

This Trojan is a modified Windows %System%\drivers\etc\hosts file, which is used to translate domain names (DNS) to IP addresses. The modified file is 2189 bytes in size. The file is modified in such a way as to block access to the sites listed below (the majory of which are antivirus sites and servers with antivirus database updates).

The following strings are added to the hosts file.

10.0.0.5 avp.com
10.0.0.5 kaspersky.com
10.0.0.5 kaspersky-labs.com
10.0.0.5 updates1.kaspersky.com
10.0.0.5 updates2.kaspersky.com
10.0.0.5 updates3.kaspersky.com
10.0.0.5 updates-us1.kaspersky.com
10.0.0.5 downloads1.kaspersky.com
10.0.0.5 downloads-us1.kaspersky.com
10.0.0.5 www.avp.com
10.0.0.5 www.kaspersky.com
10.0.0.5 d-ru-1f.kaspersky-labs.com
10.0.0.5 d-ru-1h.kaspersky-labs.com
10.0.0.5 d-ru-2f.kaspersky-labs.com
10.0.0.5 d-ru-2h.kaspersky-labs.com
10.0.0.5 d-eu-2f.kaspersky-labs.com
10.0.0.5 d-eu-2h.kaspersky-labs.com
10.0.0.5 d-eu-1f.kaspersky-labs.com
10.0.0.5 d-eu-1h.kaspersky-labs.com
10.0.0.5 d-us-1f.kaspersky-labs.com
10.0.0.5 d-us-1h.kaspersky-labs.com
10.0.0.5 downloads1.kaspersky.ru
10.0.0.5 downloads2.kaspersky.ru
10.0.0.5 downloads3.kaspersky.ru
10.0.0.5 downloads4.kaspersky.ru
10.0.0.5 downloads5.kaspersky.ru
10.0.0.5 eset.com
10.0.0.5 www.eset.com
10.0.0.5 u2.eset.com
10.0.0.5 u3.eset.com
10.0.0.5 u4.eset.com
10.0.0.5 u7.eset.com
10.0.0.5 82.165.250.33
10.0.0.5 82.165.237.14
10.0.0.5 www.nod32.com
10.0.0.5 nod32.com
10.0.0.5 eset.casablanca.cz
10.0.0.5 casablanca.cz
10.0.0.5 customer.symantec.com
10.0.0.5 liveupdate.symantec.com
10.0.0.5 liveupdate.symantecliveupdate.com
10.0.0.5 securityresponse.symantec.com
10.0.0.5 symantec.com
10.0.0.5 update.symantec.com
10.0.0.5 updates.symantec.com
10.0.0.5 www.symantec.com
10.0.0.5 www.norton.com
10.0.0.5 norton.com
10.0.0.5 mast.mcafee.com
10.0.0.5 mcafee.com
10.0.0.5 rads.mcafee.com
10.0.0.5 www.mcafee.com
10.0.0.5 mcafee.com
10.0.0.5 us.mcafee.com
10.0.0.5 dispatch.mcafee.com
10.0.0.5 download.mcafee.com
10.0.0.5 metalhead2005.info
10.0.0.5 my-etrust.com
10.0.0.5 nai.com
10.0.0.5 networkassociates.com
10.0.0.5 secure.nai.com
10.0.0.5 sophos.com
10.0.0.5 trendmicro.com
10.0.0.5 viruslist.com
10.0.0.5 viruslist.com
10.0.0.5 www.ca.com
10.0.0.5 www.f-secure.com
10.0.0.5 www.microsoft.com
10.0.0.5 www.my-etrust.com
10.0.0.5 www.nai.com
10.0.0.5 www.networkassociates.com
10.0.0.5 www.sophos.com
10.0.0.5 www.trendmicro.com
10.0.0.5 www.viruslist.com
10.0.0.5 ca.com
10.0.0.5 d66.myleftnut.info
10.0.0.5 f-secure.com

This is the result of the activity of another malicious program.

Removal instructions

1. Modify the %System%\drivers\etc\hosts file using any standard application (e.g. Notepad). Delete the strings added by the Trojan. The original hosts file has the following contents:

   # Copyright (c) 1993-1999 Microsoft Corp.
   #
   # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
   #
   # This file contains the mappings of IP addresses to host names. Each
   # entry should be kept on an individual line. The IP address should
   # be placed in the first column followed by the corresponding host name.
   # The IP address and the host name should be separated by at least one
   # space.
   #
   # Additionally, comments (such as these) may be inserted on individual
   # lines or following the machine name denoted by a '#' symbol.
   #
   # For example:
   #
   #      102.54.94.97     rhino.acme.com          # source server
   #       38.25.63.10     x.acme.com              # x client host
   
   127.0.0.1       localhost
   

2. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).