McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

QHosts-73!hosts

This page shows details and results of our analysis on the malware QHosts-73!hosts

Threat Detail

Malware Type: Trojan

Malware Sub-type: Win32

Discovery Date: 2007-02-05

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4956 (2007-02-05)

Updated DAT

4956 (2007-02-05)

 Minimum Engine

5.1.00

File Length

335 bytes

 Description Added

2007-02-05

Description Modified

2007-02-26

Malware Proliferation

Characteristics

This is a detection for a modified HOSTS file. This file is normally used by Windows to resolve the IP address for a URL. For performance reasons, Windows first looks in the HOSTS file (which normally exists in C:\WINDOWS\SYSTEM32\DRIVERS\ETC), and if no appropriate entry is found, it will try to use DNS and WINS to resolve the IP address. Many worms and their variants, such as W32/Sdbot.worm and W32/Gaobot.worm are overwriting the HOSTS file with a modified version. The HOSTS file contains a list of URLs and redirects them to 220.101.223.5 and 222.208.183.175. By redirecting all network traffic for these URLs to these IPs,the user is unable to browse to the webpage to certain websites.

Symptoms

Appended HOST file Visiting the websites listed in the HOST file will redirect the web traffic to the broadcast address, making the user unable to reach the following websites:
- game.gooddone.com
- www.hf35133.com
- www.hffw35133.com
- www.233049.com
- www.jiangyumiao.com
- wangyoumk.newsk.cn
- sou2.m369m.com
- sou3.m369m.com
- www.zhengtugames.com

Method of Infection

Trojans do not self-replicate and require manual intervention in order to "spread". User is infected upon executing the attachment.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

United States - English