Troj/QHosts-BD

Category: Viruses and Spyware Protection available since:16 Feb 2013 05:33:52 (GMT)
Type: Trojan Last Updated:16 Feb 2013 05:33:52 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/QHosts-BD include:

Example 1

File Information

Size
181K
SHA-1
1cc948ca39e13b48e9c4fbc6e8824c51218f00c0
MD5
4852bc9f12a0d9d4125ca3f91d93647b
CRC-32
86988def
File type
Windows executable
First seen
2012-12-05

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Recent\obsikatel.vbs.lnk
    Size
    752
    SHA-1
    f71305cb06d465417d495da15c4b7a69a8792ad6
    MD5
    2701004b764bd719393b87d277e0290b
    CRC-32
    8d97abbc
    File type
    Windows Shortcut file (.LNK)
    First seen
    2013-02-15
  • C:\WINDOWS\system32\drivers\etc\hosts
    Size
    1.1K
    SHA-1
    af48a9321af93d9b237b2089117be4280658422c
    MD5
    542c991a24c7d40587891e9a8942545d
    CRC-32
    35663ae7
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-12-03
  • C:\Program Files\wind\unpack\kols.txt
  • C:\Program Files\wind\unpack\rkkkas.txt
    Size
    1
    SHA-1
    77ac341feebeb7c0a7ff8f9c6540531500693bac
    MD5
    fc1262746424402278e88f6c1f02f581
    CRC-32
    95b020f2
    File type
    application/octet-stream
    First seen
    2011-07-24
  • C:\Program Files\wind\unpack\zaseratel.bat
    Size
    3.7K
    SHA-1
    e23b2ed18f8b8ad6dcd851846a9cabc7c759843f
    MD5
    578f71aa0e0b696d32e1ce1e373bcb7a
    CRC-32
    eab7b467
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-12-07
  • C:\Program Files\wind\unpack\govnoklader.vbs
    Size
    804
    SHA-1
    d19663e45c4f57d9fa50fce5f377bdbdd5ceabb4
    MD5
    789569a4e211ccc634806d6a61104e1a
    CRC-32
    5c8eb55e
    File type
    Visual Basic Script
    First seen
    2012-12-07
  • c:\Documents and Settings\test user\Recent\unpack.lnk
  • C:\Program Files\wind\unpack\obsikatel.vbs
    Size
    467
    SHA-1
    f130e8e5fca8713887d345e903497ea611451ed7
    MD5
    b7ce5d1feda8e5990b8bbffc8b553ae2
    CRC-32
    4f4cda45
    File type
    Visual Basic Script
    First seen
    2012-12-07
Modified Files
  • %SYSTEM%\drivers\etc\hosts
    • Changed the file contents
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021520130216
    CacheRepair
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.vbs
    MRUListEx
    □□□□□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList
    MRUList
    a
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    3
    u□□□□□□□□□□□0□□□□□□□□`□□ □□□□□□□□□□□□□□□□□Pn□□a□0k□□l□□k□□□□□□□0□□@□□□□□□□□□□□□□□□□□@□□□□□P□□□□□□□□□□□0□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    7
    u□□□□□□□□□□□0□□□□□□□□`□□ □□□□□□□□□□□□□□□□□Pn□□a□0k□□l□□k□□□□□□□0□□@□□□□□□□□□□□□□□□□□@□□□□□P□□□□□□□□□□□0□□□□□□□□□□□□□□□□□□□□□□□□□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    MRUListEx
    07 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    MRUListEx
    03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\wscript.exe
IP Connections
  • 94.249.188.143:9007

Example 2

File Information

File type
Windows executable

Runtime Analysis

Dropped Files
  • C:\Program Files\fj\go\bat.bat
    Size
    2.9K
    SHA-1
    355cc3865e4729c9b2e3d19bba3077949d541b72
    MD5
    acbbaf77ae019062dbfff9d07608dc51
    CRC-32
    4705cdff
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-02-15
  • C:\Program Files\fj\go\zbs.txt
  • C:\WINDOWS\system32\drivers\etc\hosts
    Size
    1.1K
    SHA-1
    0132ac9e6c55811b6e404fcab2b2e6e9dd37f787
    MD5
    28894bed13461e5ec1bc1ad8fef6ffd7
    CRC-32
    f7c19d64
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-02-15
  • C:\Program Files\fj\go\1.txt
    Size
    11
    SHA-1
    4c1ffe1d439a942fb0b1dd3da96c992d45db8e96
    MD5
    bfcf13d461e13e31703a5cfe0ac76766
    CRC-32
    9ed5f04b
    File type
    Windows Codepage 1252
    First seen
    2012-12-19
  • c:\Documents and Settings\test user\Recent\go.lnk
  • c:\Documents and Settings\test user\Recent\test30.vbs.lnk
    Size
    687
    SHA-1
    d0c9109238176d7475bfceba710bbee590ec068e
    MD5
    e0fa576b622f068aca50dcd5bfd60e09
    CRC-32
    8918b850
    File type
    Windows Shortcut file (.LNK)
    First seen
    2013-02-15
  • C:\Program Files\fj\go\test30.vbs
    Size
    474
    SHA-1
    ef11261ee478d8165c6e9a4b501422abab79209c
    MD5
    cb8ada86eee07ed6b7a599a0cf676c6a
    CRC-32
    37e8c94b
    File type
    Visual Basic Script
    First seen
    2013-02-15
  • c:\Documents and Settings\test user\Recent\test40.vbs.lnk
    Size
    687
    SHA-1
    1e050d027f152305223e2adebf7c0bfec8bad57f
    MD5
    0bca816424e877935761bc5913020079
    CRC-32
    889e7201
    File type
    Windows Shortcut file (.LNK)
    First seen
    2013-02-15
  • C:\Program Files\fj\go\test40.vbs
    Size
    756
    SHA-1
    2e3fc040f96cf52ec96e681cd559dd75ba6bf581
    MD5
    3c5c21ae379cb43aacbd602d978485ca
    CRC-32
    d0ff62f0
    File type
    Visual Basic Script
    First seen
    2013-02-15
Modified Files
  • %SYSTEM%\drivers\etc\hosts
    • Changed the file contents
    • Set the hidden flag
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.vbs
    1
    t□□P□□0□□@□□@□□□□□□□□`□□ □□0□□□□□ □□ □□□□□□□□□□□□□□□□□@e□0t□@0□□v□ s□□l□□k□□□□@□□0□□@□□□□□□□□□□□□□□□□□@□□□□□@□□P□□0□□@□□@□□□□□□□□`□□ □□0□□□□□□□□□□□□□□□□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    8
    t□□P□□0□□@□□@□□□□□□□□`□□ □□0□□□□□ □□ □□□□□□□□□□□□□□□□□@e□0t□@0□□v□ s□□l□□k□□□□@□□0□□@□□□□□□□□□□□□□□□□□@□□□□□@□□P□□0□□@□□@□□□□□□□□`□□ □□0□□□□□□□□□□□□□□□□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList
    MRUList
    a
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    4
    g□□□□□□□□□□□ □□□□□□□□□□□□□□□□□po□□l□□k□□□□@□□0□□@□□□□□□□□□□□□□□□□□@□□□□□p□□□□□□□□□□□□□□□□□□□□`□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021520130216
    CacheRepair
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    MRUListEx
    07 00 00 00 08 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    MRUListEx
    04 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\wscript.exe
IP Connections
  • 94.249.188.163:3388

Example 3

File Information

Size
164K
SHA-1
4065dfeb2bc1b3599b1ab62244ebb1b16dedcd5f
MD5
63a5868e60b94ab9d7c69175ba0161c0
CRC-32
31d5b237
File type
Windows executable
First seen
2012-12-13

Runtime Analysis

Dropped Files
  • C:\Program Files\runme\runme\ds.txt
    Size
    5
    SHA-1
    1b26a284d8ef8a7efcdcfac5a97ba4e5a418deed
    MD5
    3b6cbd1b56c95293718b744dff2e1d08
    CRC-32
    1ba3d223
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2010-09-08
  • C:\Program Files\runme\runme\d123123123t.vbs
    Size
    419
    SHA-1
    d4476b11f8d7bb8049c87428f5c5b8e64c1f8639
    MD5
    ff2e7f43e89785c2861d2f647e557ad8
    CRC-32
    e5484736
    File type
    Visual Basic Script
    First seen
    2012-12-12
  • C:\Program Files\runme\runme\pj.txt
    Size
    1
    SHA-1
    77ac341feebeb7c0a7ff8f9c6540531500693bac
    MD5
    fc1262746424402278e88f6c1f02f581
    CRC-32
    95b020f2
    File type
    application/octet-stream
    First seen
    2011-07-24
  • C:\Program Files\runme\runme\posa_n4eg.bat
    Size
    3.7K
    SHA-1
    353812920499c31c5a5d4ac69c1679e58b53199b
    MD5
    f631c3fa00d63bf32d77153fe4c09325
    CRC-32
    f47791a2
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-12-18
  • C:\WINDOWS\system32\drivers\etc\hosts
    Size
    1.1K
    SHA-1
    6dbbecd6a86757b9035501173d35d18195085717
    MD5
    c956ef7be92277199997fdd9cc66d1e2
    CRC-32
    4cf424ef
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2013-02-15
  • c:\Documents and Settings\test user\Recent\e435345345az.vbs.lnk
    Size
    769
    SHA-1
    5ef3659b90c918668740d831f8260cc14d2faeae
    MD5
    b414c01e8538ef15954a29f2d3385044
    CRC-32
    94d082c5
    File type
    Windows Shortcut file (.LNK)
    First seen
    2013-02-15
  • C:\Program Files\runme\runme\e435345345az.vbs
    Size
    589
    SHA-1
    ad12d7eba1d24ee6dfc7c6651e37863b90a4268e
    MD5
    05e772ecbd3974f6f218c63df74eed01
    CRC-32
    fbcfec67
    File type
    Visual Basic Script
    First seen
    2013-02-15
  • c:\Documents and Settings\test user\Recent\d123123123t.vbs.lnk
    Size
    762
    SHA-1
    fe78be2804ebfc3a793506c0a3f88f5e9af9056e
    MD5
    aac2f9d5c9f6b996bc9cfba3db9b03c9
    CRC-32
    c1936777
    File type
    Windows Shortcut file (.LNK)
    First seen
    2013-02-15
  • c:\Documents and Settings\test user\Recent\runme.lnk
Modified Files
  • %SYSTEM%\drivers\etc\hosts
    • Changed the file contents
    • Set the hidden and archive flags
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.vbs
    1
    e□□@□□0□□P□□0□□@□□P□□0□□@□□P□□□□□□□□□□□`□□ □□0□□□□□@□□ □□□□□□□□□□□□□□□□□P4□05□04□P3□@5□□z□□v□ s□□l□□k□□□□□□□0□□@□□□□□□□□□□□□□□□□□@□□□□□P□□@□□0□□P□□0□□@□□P□□0□□@□□P□□□□□□□□□□□`□□ □□0□□□□□□□□□□□□□□□□□@□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021520130216
    CacheRepair
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithList
    MRUList
    a
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    8
    e□□@□□0□□P□□0□□@□□P□□0□□@□□P□□□□□□□□□□□`□□ □□0□□□□□@□□ □□□□□□□□□□□□□□□□□P4□05□04□P3□@5□□z□□v□ s□□l□□k□□□□□□□0□□@□□□□□□□□□□□□□□□□□@□□□□□P□□@□□0□□P□□0□□@□□P□□0□□@□□P□□□□□□□□□□□`□□ □□0□□□□□□□□□□□□□□□□□@□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    4
    r□□P□□□□□□□□P□□□□□ □□ □□□□□□□□□□□□□□□□□ u□□m□P.□□n□□□□□□□0□□@□□□□□□□□□□□□□□□□□@□□□□□ □□P□□□□□□□□P□□□□□□□□□□□□□□□□□□□□□□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
    MRUListEx
    04 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    MRUListEx
    07 00 00 00 08 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 ff ff ff ff
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\wscript.exe
IP Connections
  • 46.166.165.108:12121

download Try Sophos products for free
Download now