Threat Descriptions

Trojan:W32/Qhost.IT

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan:W32/Qhost.IT, Trojan:W32/Qhost.IT

Summary

Trojan:W32/Qhost.IT stops antivirus products from updating by modifying the %windir%\system32\drivers\etc\HOSTS file.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This trojan modifies the HOSTS file to prevent access to antivirus related sites and services.It Creates the following file:

  • %windir%\system32\iklvb.dll - Trojan.Win32.Qhost.it

It creates the following registry keys as its autostart-mechanism:

  • HKLM\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}
  • HKLM\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32 (default) = C:\WINDOWS\system32\iklvb.dll
  • HKLM\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32 ThreadingModel = Apartment
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {2C1CD3D7-86AC-4068-93BC-A02304B60787} = DCOM Server 60787
  • HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad DCOM Server 60787 = {2C1CD3D7-86AC-4068-93BC-A02304B60787}

It modifies the HOSTS file to prevent antivirus products from receiving updates. It points the update site to localhost. Access to the following sites is blocked:

  • avp.com
  • ca.com
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • downloads1.kaspersky-labs.com
  • downloads2.kaspersky-labs.com
  • downloads3.kaspersky-labs.com
  • downloads4.kaspersky-labs.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • networkassociates.com
  • rads.mcafee.com
  • secure.nai.com
  • securityresponse.symantec.com
  • sophos.com
  • updates.symantec.com
  • us.mcafee.com
  • viruslist.com
  • www.avp.com
  • www.ca.com
  • www.f-secure.com
  • www.kaspersky.com
  • www.mcafee.com
  • www.my-etrust.com
  • www.nai.com
  • www.networkassociates.com
  • www.sophos.com
  • www.symantec.com
  • www.trendmicro.com
  • www.viruslist.com