Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4533 (2005-07-12) Updated DAT4806 (2006-07-13) |
Minimum Engine
5.1.00 File Length1,631 |
Description Added
2005-07-12 Description Modified2007-02-16 |
Malware Proliferation
Characteristics
This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address.
Many worms and their variants, such as W32/Sdbot.worm and W32/Gaobot.worm are overwriting the HOSTS file with a modified version. The HOSTS file contains a list of URLs and redirects them to 255.255.255.255, which is a broadcast address.
By redirecting all network traffic for these URLs to the 255.255.255.255 broadcast address, the user is unable to browse to the webpage to certain websites. The list of URLs are specific for Anti-virus vendors domain address, many of them used to updade the anti-virus. In this way the user will be unable to update the Anti-Virus database.
Symptoms
Method of Infection
Trojans do not self-replicate and require manual intervention in order to "spread". User is infected upon executing the attachment.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants