How to delete Qhost - Removal tool, fix instructions

Name: Qhost

Aliases: Trj/Qhost.gen, BAT.Qhosts, JS.Qhosts, Win32.Qhosts, QHosts-1, TR/QHosts.Script,

Type: Trojan

Size: -

First appeared on: 15.06.2004

Damage: Medium

Brief Description:
Qhost is a generic detection of a modification of the file HOSTS, which belongs to the Windows operating system.

The file HOSTS contains several lines that Windows checks in order to solve the names to IP addresses. Windows checks this file before checking other services, such as WINS or DNS.

Some malware, specially some variants of the worm Gaobot, overwrite or add some lines to that file, and they associate a list of web addresses to the IP127.0.0.1 (local host address). By doing so, affected users will not be able to visit these web sites included in the list.

These web sites usually belong to different security software vendors, so the affected user is unable to visit these sites or update the antivirus solution, etc.

Visible Symptoms:

Qhost.gen is difficult to recognize, as it does not display any messages or warnings that indicate it has reached a computer.

However, if you are unable to visit certain web sites, which belong to security software vendors, your computer is probably affected by Qhost.gen.

Technical description:

Once the malicious script is executed, the trojan will drop a file called AOLFIX.EXE into the Windows temporary directory. It then creates a batch file that will proceed to execute AOLFIX.EXE and delete it after the execution.

AOLFIX.EXE is a batch file compiled into a Windows binary executable by the "bat2exe" utility. Once run it will check if a file called %windows%\winlog exists. If it does, the trojan does nothing and will exit. If the "winlog" file is not found the trojan tries to modify the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\
"EnableDNS"="1"
"NameServer"="69.57.146.14,69.57.147.175"
"HostName"="host"
"Domain"="mydomain.com"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
"ProxyEnable"=dword:00000000
"MigrateProxy"=dword:00000000

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
"Use Search Asst"="no"
"Search Page"="http://www.google.com"
"Search Bar"="http://www.google.com/ie"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\
""="http://www.google.com/keyword/%%s"
"provider"="gogl"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\
"SearchAssistant"="http://www.google.com/ie"

These settings will make an affected system use the IP addresses 69.57.146.14 and 69.57.147.175 as its DNS servers. They also change the domain name to host.mydomain.com, disable any IE proxy, and set the IE search page to point to www.google.com. These DNS name servers are probably used to redirect name queries to servers run by the trojan's author.

The trojan then checks if %windows%\system32\drivers\etc\services exists. If it finds this file, it will proceed to modify the following registry keys:
(note that the presence of the "services" file generally indicates that the trojan is dealing with Windows 2000 or Windows XP.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
"DataBasePath"=hex(2):25,00,53,00,79,00,73, 00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25, 00,5c,00,68,00,65,00,6c,00,70,00,00,00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters
"DataBasePath"=hex(2):25,00,53,00,79,00,73, 00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25, 00,5c,00,68,00,65,00,6c,00,70,00,00,00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ Tcpip\Parameters\interfaces\windows
"r0x"="your s0x"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ Tcpip\Parameters\interfaces\windows
"r0x"="your s0x"

The DataBasePath value is a unicode string, which redirects Windows to load the local hosts file from the directory %windows%\help, instead of the normal location %windows%\System32\drivers\etc.

The trojan will also enumerate and modify every NameServer value found under
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces and HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces
recursively to make sure that the DNS servers are set to 69.57.146.14 and 69.57.147.175 for every network interface present.

Next the trojan will modify the hosts file located in the %windows% directory so that the domain names of some popular search engines will resolve to the IP address 207.44.220.30.

Propagation:

The Trojan is installed and run if a user visits a web page that exploits a vulnerability in Internet Explorer. A VB script embedded in the web page is run automatically when the page is viewed using Internet Explorer.

Removal tool:

Restore the file HOSTS with the latest backup copy available.

Find the suspicious files:

  • Access the Windows system directory: For Windows 2000/NT computers, the default directory is C:\ WINNT\ SYSTEM32, and for Windows XP/Me/98/95 computers, the default directory is C:\ WINDOWS\ SYSTEM.
  • Arrange the files chronologically.
  • Note down the executable files (those with an EXE, COM, PIF, BAT or SCR extension) that have been created or modified over the last fiveteen days.
  • Find the entries associated to the automatic execution of the suspicious files in the Windows Registry. These entries are located in the paths below:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices
    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices