English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Qhost.vls

Detected Apr 16 2011 04:11 GMT
Released Apr 16 2011 10:03 GMT
Published Sep 20 2011 14:31 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 6656 bytes. Written in C++.


Payload

The trojan is launched with a string parameter containing a pathway to a certain file. If launching without this parameter, the trojan shuts down without carrying out any actions.

When running, the trojan replaces the "hosts" file:

%System%\drivers\etc\hosts
with a file with a path obtained in the launch parameter. This means that the user may be redirected to certain sites or prevented from accessing certain resources. "Hidden" and "read only" attributes are then established for the "hosts" file. The trojan then deletes the file, the path to which is obtained from the launch parameter, and then shuts down.


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Restore the original "hosts" file content:
    %System%\drivers\etc\hosts
    By default this is the following type of file:
    # (C) Microsoft Corp., 1993-1999
    #
    # It is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings for the IP-addresses to the host names.
    # Each element should be located within a separate string. The IP-address should
    # be located in the first column, followed by the relevant name.
    # The IP-address and name of the host should be separated by at least one space.
    #
    # Moreover, some strings may contain comments
    # (details of the string). These should follow the name of the host and should be separated
    # from it by the '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # client host x
    
    127.0.0.1 localhost
    
  3. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: C97C8022899EBDB959A09630407D350E
SHA1: 90E48846988EB5D058D9B7A9D65AC2929662676D


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Qhost.vls (Kaspersky Lab) is also known as:

  • Trojan: Generic Qhost!bw (McAfee)
  • Troj/Agent-RFQ (Sophos)
  • Generic Trojan (Panda)
  • Win32/Qhost.OHI trojan (Nod32)
  • Trojan.Generic.KDV.186702 (BitDef7)
  • Trojan.Qhost!fMh40+WTrgM (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Trojan.Small (Ikarus)
  • Small.CON (AVG)
  • Trojan.Gen (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.Qhost!fMh40+WTrgM (VirusBusterBeta)