Win32/AutoRun.Qhost [Threat Name] go to Threat

Win32/AutoRun.Qhost.AD [Threat Variant Name]

Category worm
Size 90213 B
Aliases Trojan.Win32.Llac.acaz (Kaspersky)
  VirTool:Win32/Vbcrypt (Microsoft)
  Downloader (Symantec)
Short description

Win32/AutoRun.Qhost.AD is a worm that prevents access to certain web sites and reroutes traffic to certain IP addresses. It is able to spread via shared folders and removable media.

Installation

When executed, the worm copies itself into the following location:

  • C:\­Windows\­scssrr.exe (90213 B)

In order to be executed on every system start, the modifies the following Registry key:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winlogon" = "c:\­Windows\­scssrr.exe"
Spreading on removable media

The worm copies itself to the following location:

  • %removabledrive%\­Setup.exe

The worm creates the following file:

  • %removabledrive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Spreading via shared folders

It tries to copy itself in the following folders on a remote machine:

  • \­\­%hostname%\­c$\­Document and Settings\­All Users\­MenĂº Inicio\­Programas\­Inicio\­
  • \­\­%hostname%\­c$\­Document and Settings\­All Users\­Start menu\­Programs\­Startup\­

The following filename is used:

  • updater.exe
Other information

Win32/AutoRun.Qhost.AD is a worm that prevents access to certain web sites and reroutes traffic to certain IP addresses.


The worm modifies the following file:

  • C:\­Windows\­System32\­drivers\­etc\­hosts

The worm writes the following entries to the file:

  • 200.108.108.43 viabcp.com
  • 200.108.108.43 www.viabcp.com
  • 200.108.108.43 viabcp.com.pe
  • 200.108.108.43 www.viabcp.com.pe
  • 200.108.108.43 www.bn.com
  • 200.108.108.43 bn.com
  • 200.108.108.43 www.bn.com.pe
  • 200.108.108.43 bn.com.pe

Please enable Javascript to ensure correct displaying of this content and refresh this page.