English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Qhost.hc

Detected Jun 11 2006 16:16 GMT
Released Jun 11 2006 16:16 GMT
Published Jun 16 2006 12:31 GMT

Technical Details

This Trojan is a modified Windows %System%\drivers\etc\hosts file, which is used to translate domain names (DNS) to IP addresses. The modified file is 1861 bytes in size. The file is modified in such a way as to prevent the user from viewing the sites listed below.

The following strings are added to the hosts file:

# Win32.Skowor Ransomware Host H4x0r

127.0.0.1 www.antivir.de
127.0.0.1 www.bitdefender.de
127.0.0.1 www.znet.de
127.0.0.1 www.chip.de
127.0.0.1 www.virustotal.com
127.0.0.1 virusscan.jotti.org
127.0.0.1 www.kaspersky.com
127.0.0.1 www.sophos.de
127.0.0.1 www.trojaner-info.de
127.0.0.1 www.trojaner-help.de
127.0.0.1 www.arcabit.com
127.0.0.1 www.avast.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.bitdefender.com
127.0.0.1 www.clamav.net
127.0.0.1 www.drweb.com
127.0.0.1 www.f-prot.com
127.0.0.1 www.google.de
127.0.0.1 www.fortinet.com
127.0.0.1 www.nod32.com
127.0.0.1 www.norman.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.anti-virus.by/en
127.0.0.1 www.symantec.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.zonelabs.com
127.0.0.1 www.heise.de
127.0.0.1 www.antivirus-online.de
127.0.0.1 www.free-av.com
127.0.0.1 www.panda-software.com
127.0.0.1 www.pc-welt.de
127.0.0.1 www.pc-special.net
127.0.0.1 download.freenet.de
127.0.0.1 www.vollversion.de
127.0.0.1 www.das-download-archiv.de
127.0.0.1 www.freeware.de
127.0.0.1 www.antiviruslab.com
127.0.0.1 www.search.yahoo.com
127.0.0.1 www.web.de
127.0.0.1 www.hotmail.com
127.0.0.1 www.hotmail.de
127.0.0.1 www.gmx.net
127.0.0.1 www.spiegel.de
127.0.0.1 www.icq.com
127.0.0.1 www.icq.de
127.0.0.1 www.flirtlife.de
127.0.0.1 www.ffh.de
127.0.0.1 www.lavasoft.de
127.0.0.1 www.de.wikipedia.org
127.0.0.1 www.wikipedia.org
127.0.0.1 www.en.wikipedia.org
127.0.0.1 www.wissen.de
127.0.0.1 www.virus-aktuell.de
127.0.0.1 www.arcor.de
127.0.0.1 www.t-online.de
127.0.0.1 www.t-com.de
127.0.0.1 www.alice-dsl.de
127.0.0.1 www.freenet.de
127.0.0.1 www.1und1.de
127.0.0.1 www.fbi.gov
127.0.0.1 www.polizei.de

This is the result of the activity of another malicious program.


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions