Win32/AutoRun.Qhost [Threat Name] go to Threat
Win32/AutoRun.Qhost.AD [Threat Variant Name]
|Detection created||May 11, 2010|
|Signature database version||5106|
Win32/AutoRun.Qhost.AD is a worm that prevents access to certain web sites and reroutes traffic to certain IP addresses. It is able to spread via shared folders and removable media.
When executed, the worm copies itself into the following location:
- C:\Windows\scssrr.exe (90213 B)
In order to be executed on every system start, the modifies the following Registry key:
- "winlogon" = "c:\Windows\scssrr.exe"
Spreading on removable media
The worm copies itself to the following location:
The worm creates the following file:
The AUTORUN.INF file contains the path to the malware executable.
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Spreading via shared folders
It tries to copy itself in the following folders on a remote machine:
- \\%hostname%\c$\Document and Settings\All Users\Menú Inicio\Programas\Inicio\
- \\%hostname%\c$\Document and Settings\All Users\Start menu\Programs\Startup\
The following filename is used:
Win32/AutoRun.Qhost.AD is a worm that prevents access to certain web sites and reroutes traffic to certain IP addresses.
The worm modifies the following file:
The worm writes the following entries to the file:
- 126.96.36.199 viabcp.com
- 188.8.131.52 www.viabcp.com
- 184.108.40.206 viabcp.com.pe
- 220.127.116.11 www.viabcp.com.pe
- 18.104.22.168 www.bn.com
- 22.214.171.124 bn.com
- 126.96.36.199 www.bn.com.pe
- 188.8.131.52 bn.com.pe