TREND MICRO - Security Information - TROJ_QHOSTS.A Česká RepublicaAmérica LatinaAustraliaBelgique/BelgiëBosna i HercegovinaBrasilBulgariyaDanmarkDeutschlandEestiEspañaFranceGlobal SitesHong KongHrvatskaItaliaLatvijaLietuvaLuxembourgMéxicoMacedonia, F.Y.R.O.MagyarországNederlandNew ZealandNorgePolskaPortugalRomâniaSlovenijaSlovenskoSuomiSverigeUkraineUnited Kingdom/IrelandUnited States/Canada Find a Product Client / Server / Messaging Suite Client / Server Suite Control Manager eGovernment NeaTSuite for Lotus Notes eGovernment NeaTSuite for Microsoft Exchange IMSS / IWSS Bundle InterScan AppletTrap InterScan eManager InterScan Messaging Security Suite InterScan VirusWall InterScan VirusWall Suite InterScan Web Security Suite InterScan Webmanager InterScan WebProtect for ISA NeaTSuite for Lotus Notes NeaTSuite for Microsoft Exchange OfficeScan Portal Protect ScanMail eManager ScanMail for Lotus Notes ScanMail for MS Exchange ServerProtect Spam Prevention Service TMCM Agents Home Products Purchase Support Security Info About Us PartnerWeb Virus Map Virus Encyclopedia Hoaxes General Virus Info White Papers Webmaster Tools TrendLabs Home > Security Info > Virus Encyclopedia TROJ_QHOSTS.A Overview Technical Details QUICK LINKS Solution Virus Type: Trojan Destructive: No Aliases: QHOSTS-1, QHOSTS-1.DR Pattern file needed: 643 Scan engine needed: 5.600 Overall risk rating:Low Reported infections:Low Damage Potential:Low Distribution Potential:Medium Description: This Trojan is hosted on several malicious Web sites, which uses the Object Data Remote Execution Vulnerability to drop and execute this malware on the affected host. It also modifies the Domain Name System (DNS) settings to point to a specific IP address. Thus, ordinary Web pages are being redirected to a Web site that is specified by the Trojan. This malware is packed using UPX and runs on Windows 95, 98, ME, NT, 2000 and XP. Solution: Removing Malware Entries from the Registry Removing entries from the registry prevents the malware from performing its DNS redirection. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main Use Search Asst="no" Select and delete the above registry entry. Repeat the same deletion process for the following registry entries: HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main Search Bar="http://www.google.com/ie" HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>SearchUrl @=http://www.google.com/keyword/%s HKEY_CURRENT_USER>Software>Microsoft>Windows CurrentVersion>Internet Settings MigrateProxy=0 HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main Search Page=http://www.google.com HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>SearchUrl Provider=”gogl" HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer Search = SearchAssistant=http://www.google.com/ie HKEY_LOCAL_MACHINE>System>CurrentControlSet Services\VxD\MSTCP HostName="host" HKEY_LOCAL_MACHINE>System>CurrentControlSet Services>VxD>MSTCP Domain="mydomain.com" HKEY_LOCAL_MACHINE>System>CurrentControlSet Services>VxD>MSTCP NameServer="69.57.146.14,69.57.147.175" HKEY_LOCAL_MACHINE>System>ControlSet001>Services Tcpip>Parameters DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00, 6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (HEX) HKEY_LOCAL_MACHINE>System>ControlSet002>Services Tcpip>Parameters DataBasePath=25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00, 6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 (HEX) HKEY_LOCAL_MACHINE>System>ControlSet001> Services>Tcpip>Parameters>interfaces>windows r0x="your s0x" HKEY_LOCAL_MACHINE>System>ControlSet002 Services>Tcpip>Parameters>interfaces>windows r0x="your s0x" Close Registry Editor NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system. Additional Windows ME/XP Cleaning Instructions Running TREND MICRO Antivirus Scan your system with TREND MICRO antivirus and delete all files detected as TROJ_QHOSTS.A. To do this, TREND MICRO customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, TREND MICRO's free online virus scanner. Locating a Malware File On Windows 9x/NT: Click Start>Find>Files and Folders. In the Named input box, type: HOSTS WINLOG C:\bdtmp\ In the Look In drop-down list, select the drive which contains Windows then press Enter. On Windows 2000/ME/XP: Click Start>Search>For Files and Folders. In the Search for files and folders named input box, type: HOSTS WINLOG C:\bdtmp\ In the Look In drop-down list, select the drive which contains Windows then press Enter. Applying Patches This malware exploits known vulnerabilities in Object Data Remote Execution Vulnerability. Download and install the fix patch supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed. Email this page Problems/Questions Copyright 1989-2002 Trend Micro, Inc. All rights reserved. Legal Notice and Privacy Policy