Threat Descriptions

Trojan:BASH/QHost.WB

Classification

Category :

Malware

Type :

Trojan

Platform :

BASH

Aliases :

Trojan:BASH/QHost.WB, Trojan:BASH/QHost.WB, BASH/QHost.WB, QHost, QHost.WB

Summary

Trojan:BASH/QHost.WB hijacks web traffic by modifying the hosts file.

Removal

Manually correcting the hosts file

  1. Open terminal and change directory to */private/etc/*
    • $cd /private/etc
  2. Use any editor tool you prefer and edit the *hosts* file: $sudo vim hosts . Note: You need root privilege to do this.

    You should see something similar to the following:

    • 91.224.160.26 google.com
    • 91.224.160.26 google.ae
    • 91.224.160.26 google.as[truncated for brevity]
  3. Remove all the entries contain *91.224.160.26* from the hosts file.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan:BASH/QHost.WB poses as a FlashPlayer installer called FlashPlayer.pkg:

Screenshot of Trojan:BASH/QHost.WB masquerading as a FlashPlayer

This trojan is also further discussed in our Labs Weblog post:

Activity

Upon installation, the trojan will hijack and redirect web traffic to Google by adding the following entries to the hosts file:

  • 91.224.160.26 google.com
  • 91.224.160.26 google.ae
  • 91.224.160.26 google.as
  • 91.224.160.26 google.at
  • 91.224.160.26 google.az
  • 91.224.160.26 google.ba
  • 91.224.160.26 google.be
  • 91.224.160.26 google.bg
  • 91.224.160.26 google.bs
  • 91.224.160.26 google.ca
  • 91.224.160.26 google.cd
  • 91.224.160.26 google.com.gh
  • 91.224.160.26 google.com.hk
  • 91.224.160.26 google.com.jm
  • 91.224.160.26 google.com.mx
  • 91.224.160.26 google.com.my
  • 91.224.160.26 google.com.na
  • 91.224.160.26 google.com.nf
  • 91.224.160.26 google.com.ng
  • 91.224.160.26 google.ch
  • 91.224.160.26 google.com.np
  • 91.224.160.26 google.com.pr
  • 91.224.160.26 google.com.qa
  • 91.224.160.26 google.com.sg
  • 91.224.160.26 google.com.tj
  • 91.224.160.26 google.com.tw
  • 91.224.160.26 google.dj
  • 91.224.160.26 google.de
  • 91.224.160.26 google.dk
  • 91.224.160.26 google.dm
  • 91.224.160.26 google.ee
  • 91.224.160.26 google.fi
  • 91.224.160.26 google.fm
  • 91.224.160.26 google.fr
  • 91.224.160.26 google.ge
  • 91.224.160.26 google.gg
  • 91.224.160.26 google.gm
  • 91.224.160.26 google.gr
  • 91.224.160.26 google.ht
  • 91.224.160.26 google.ie
  • 91.224.160.26 google.im
  • 91.224.160.26 google.in
  • 91.224.160.26 google.it
  • 91.224.160.26 google.ki
  • 91.224.160.26 google.la
  • 91.224.160.26 google.li
  • 91.224.160.26 google.lv
  • 91.224.160.26 google.ma
  • 91.224.160.26 google.ms
  • 91.224.160.26 google.mu
  • 91.224.160.26 google.mw
  • 91.224.160.26 google.nl
  • 91.224.160.26 google.no
  • 91.224.160.26 google.nr
  • 91.224.160.26 google.nu
  • 91.224.160.26 google.pl
  • 91.224.160.26 google.pn
  • 91.224.160.26 google.pt
  • 91.224.160.26 google.ro
  • 91.224.160.26 google.ru
  • 91.224.160.26 google.rw
  • 91.224.160.26 google.sc
  • 91.224.160.26 google.se
  • 91.224.160.26 google.sh
  • 91.224.160.26 google.si
  • 91.224.160.26 google.sm
  • 91.224.160.26 google.sn
  • 91.224.160.26 google.st
  • 91.224.160.26 google.tl
  • 91.224.160.26 google.tm
  • 91.224.160.26 google.tt
  • 91.224.160.26 google.us
  • 91.224.160.26 google.vu
  • 91.224.160.26 google.ws
  • 91.224.160.26 google.co.ck
  • 91.224.160.26 google.co.id
  • 91.224.160.26 google.co.il
  • 91.224.160.26 google.co.in
  • 91.224.160.26 google.co.jp
  • 91.224.160.26 google.co.kr
  • 91.224.160.26 google.co.ls
  • 91.224.160.26 google.co.ma
  • 91.224.160.26 google.co.nz
  • 91.224.160.26 google.co.tz
  • 91.224.160.26 google.co.ug
  • 91.224.160.26 google.co.uk
  • 91.224.160.26 google.co.za
  • 91.224.160.26 google.co.zm
  • 91.224.160.26 google.com
  • 91.224.160.26 google.com.af