Win32/AutoRun.Qhost [Threat Name] go to Threat
Win32/AutoRun.Qhost.AD [Threat Variant Name]
| Category | worm |
| Size | 90213 B |
| Aliases | Trojan.Win32.Llac.acaz (Kaspersky) |
| VirTool:Win32/Vbcrypt (Microsoft) | |
| Downloader (Symantec) |
Short description
Win32/AutoRun.Qhost.AD is a worm that prevents access to certain web sites and reroutes traffic to certain IP addresses. It is able to spread via shared folders and removable media.
Installation
When executed, the worm copies itself into the following location:
- C:\Windows\scssrr.exe (90213 B)
In order to be executed on every system start, the modifies the following Registry key:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "winlogon" = "c:\Windows\scssrr.exe"
Spreading on removable media
The worm copies itself to the following location:
- %removabledrive%\Setup.exe
The worm creates the following file:
- %removabledrive%\autorun.inf
The AUTORUN.INF file contains the path to the malware executable.
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Spreading via shared folders
It tries to copy itself in the following folders on a remote machine:
- \\%hostname%\c$\Document and Settings\All Users\MenĂº Inicio\Programas\Inicio\
- \\%hostname%\c$\Document and Settings\All Users\Start menu\Programs\Startup\
The following filename is used:
- updater.exe
Other information
Win32/AutoRun.Qhost.AD is a worm that prevents access to certain web sites and reroutes traffic to certain IP addresses.
The worm modifies the following file:
- C:\Windows\System32\drivers\etc\hosts
The worm writes the following entries to the file:
- 200.108.108.43 viabcp.com
- 200.108.108.43 www.viabcp.com
- 200.108.108.43 viabcp.com.pe
- 200.108.108.43 www.viabcp.com.pe
- 200.108.108.43 www.bn.com
- 200.108.108.43 bn.com
- 200.108.108.43 www.bn.com.pe
- 200.108.108.43 bn.com.pe