Win32/Qhost.Banker [Threat Name] go to Threat

Win32/Qhost.Banker.PW [Threat Variant Name]

Category trojan
Size 81408 B
Detection created Nov 27, 2016
Detection database version 14514
Aliases Trojan-Downloader.Win32.Betload.aaa (Kaspersky)
  Trojan.Hosts.40077 (Dr.Web)
Short description

Win32/Qhost.Banker.PW is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.

Installation

When executed, the trojan creates the following folder:

  • %temp%\­%variable1%.tmp\­

The following file is dropped in the same folder:

  • %variable2%.bat (1423 B, Win32/Qhost.Banker.PW trojan)

The file is then executed.


A string with variable content is used instead of %variable1-2% .


The trojan may create the following files:

  • %temp%\­getadmin.vbs

The file is then executed.

Other information

Win32/Qhost.Banker.PW is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.


The trojan modifies the following file:

  • %system%\­drivers\­etc\­hosts

The trojan writes the following entries to the file:

  • 188.68.224.42 pekao24.pl
  • 188.68.224.42 www.pekao24.pl
  • 188.68.240.87 mbank.pl
  • 188.68.240.87 www.mbank.pl

The trojan executes the following commands:

  • ipconfig /release
  • ipconfig /dnsflush
  • ipconfig /renew

Please enable Javascript to ensure correct displaying of this content and refresh this page.