Threat behavior
Trojan:Win32/Qhost.CI is a trojan that modifies the hosts file in order to redirect search pages from Yahoo and Google to a specific location.
Payload
Modifies host file
When run, Trojan:Win32/Qhost.CI overwrites %system%\drivers\etc\hosts to redirect visits to Google and Yahoo search pages to a particular IP address. One variant, observed at the time of publication, added entries for each of the following servers as 89.149.249.193:
www.google.com
www.google.de
www.google.fr
www.google.co.uk
www.google.com.br
www.google.it
www.google.es
www.google.co.jp
www.google.com.mx
www.google.ca
www.google.com.au
www.google.nl
www.google.co.za
www.google.be
www.google.gr
www.google.at
www.google.se
www.google.ch
www.google.pt
www.google.dk
www.google.fi
www.google.ie
www.google.no
search.yahoo.com
us.search.yahoo.com
uk.search.yahoo.com
Trojan:Win32/Qhost.CI modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a Web site URL to a particular IP address. Malicious software may make modifications to the Hosts file to redirect specified URLs to different IP addresses. Malware often modifies a computer's Hosts file to stop users from accessing Web sites associated with particular security-related applications (such as antivirus for example). In this example, Trojan:Win32/Qhost.CI is redirecting users to malicious versions of the targeted Web sites.
Additional Information
Trojan:Win32/Qhost.CI may use a filename of google.exe, and has been reported to masquerade as a Google Chrome extension.
Analysis by David Wood
Prevention
