Trojan.Win32.Qhost.ll
| Alert Level : | Medium |
| Discovered: | May 30 2007 |
| Tag: | Trojans |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan is a modified Windows %System%\drivers\etc\hosts file, which is used to map domain names (DNS) to IP addresses. The modified file is 100 bytes in size. The file is modified in such a way as to prevent the user from viewing www.webmoney.ru.
The following strings are added to the hosts file.
127.0.0.1 webmoney.ru 127.0.0.1 www.webmoney.ru
The modifications mean that requests sent to the servers listed above will be blocked.
This is the result of the activity of another malicious program.
Removal instructions0
Removal Trojan.Win32.Qhost.ll instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Modify the %System%\drivers\etc\hosts file using any standard
application (e.g. Notepad). Delete the strings added by the Trojan. The original
hosts file has the following contents:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!
