TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
TROJ_QHOST.L
Overview
Solution

Malware type: Trojan

Aliases: Trojan.DOS.Qhost.c (Kaspersky), PWS-Banker.t (McAfee), Trojan.Qhosts (Symantec), TR/Qhost.C (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 Low

Distribution potential:

 Low

Description: 

Upon execution, this Trojan checks for the presence of the HOSTS file in the following folders:

  • C:\Windows\
  • C:\Windows\system32\drivers\etc\
  • C:\Windows\system32\etc\
  • C:\WINNT\system32\drivers\etc\

Once found, it adds the entry 209.134.25.179 officebanking.bradesco.com.br to the HOSTS file.

The HOSTS file contains the mappings of IP addresses to host names. The line added above means that whenever a user tries to access the Web site officebanking.bradesco.com.br, he or she is instead redirected to the IP address 209.134.25.179, which is not the valid IP address of the Brazilian banking site.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 7, 2005 4:04:23 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.