Discovered: October 1, 2003
Updated: February 13, 2007 12:08:26 PM
Also Known As: QHosts-1 [McAfee], VBS.QHOSTS [CA], Troj/Qhosts-1 [Sophos], TROJ_QHOSTS.A [Trend], Trojan.BAT.Delude.c [KAV]
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server.
Trojan.Qhosts cannot spread by itself. The user must open an HTML page that contains malicious code, which allows the Trojan to open a viral HTML file on the target computer so that the script can create and run the malicious executable.
Symantec Security Response has received reports that visiting a specific page on www.fortunecity.com caused a popup to be displayed, which redirected the visitor to a different Web page. Being redirected to the Web page appears to have caused the Trojan Horse to be downloaded to a visitor's system, and then executed. Reports also state that the threat exploited the Internet Explorer Object Data Remote Execution vulnerability on several victims' computers to execute itself. Microsoft has released a cumulative
patch for this vulnerability.
Protection
-
Initial Rapid Release version October 2, 2003
-
Latest Rapid Release version October 2, 2008 revision 025
-
Initial Daily Certified version October 2, 2003 revision 002
-
Latest Daily Certified version October 2, 2008 revision 024
-
Initial Weekly Certified release date October 2, 2003
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
-
Wild Level: Low
-
Number of Infections: More than 1000
-
Number of Sites: More than 10
-
Geographical Distribution: High
-
Threat Containment: Easy
-
Removal: Easy
Damage
Distribution
Writeup By: Douglas Knowles
