Description
VBS.Qhosts is a trojan that attempts to redirect Internet domain names, mainly for intercepting queries to search engine web pages such as www.google.com.
The trojan is loaded from a web page, which exploits a vulnerability in Microsoft Internet Explorer to run script with unrestricted access to the system. The vulnerability is addressed in the following Microsoft security bulletin and associated cumulative patch:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
Once the malicious script is executed, the trojan will drop a file called AOLFIX.EXE into the Windows temporary directory. It then creates a batch file that will proceed to execute AOLFIX.EXE and delete it after the execution.
AOLFIX.EXE is a batch file compiled into a Windows binary executable by the "bat2exe" utility. Once run it will check if a file called %windows%\winlog exists. If it does, the trojan does nothing and will exit. If the "winlog" file is not found the trojan tries to modify the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\
"EnableDNS"="1"
"NameServer"="69.57.146.14,69.57.147.175"
"HostName"="host"
"Domain"="mydomain.com"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
"ProxyEnable"=dword:00000000
"MigrateProxy"=dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
"Use Search Asst"="no"
"Search Page"="http://www.google.com"
"Search Bar"="http://www.google.com/ie"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\
""="http://www.google.com/keyword/%%s"
"provider"="gogl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\
"SearchAssistant"="http://www.google.com/ie"
These settings will make an affected system use the IP addresses 69.57.146.14 and 69.57.147.175 as its DNS servers. They also change the domain name to host.mydomain.com, disable any IE proxy, and set the IE search page to point to www.google.com. These DNS name servers are probably used to redirect name queries to servers run by the trojan's author.
The trojan then checks if %windows%\system32\drivers\etc\services exists. If it finds this file, it will proceed to modify the following registry keys:
(note that the presence of the "services" file generally indicates that the trojan is dealing with Windows 2000 or Windows XP.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\interfaces\windows
"r0x"="your s0x"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\interfaces\windows
"r0x"="your s0x"
The DataBasePath value is a unicode string, which redirects Windows to load the local hosts file from the directory %windows%\help, instead of the normal location %windows%\System32\drivers\etc.
The trojan will also enumerate and modify every NameServer value found under
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces and HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces
recursively to make sure that the DNS servers are set to 69.57.146.14 and 69.57.147.175 for every network interface present.
Next the trojan will modify the hosts file located in the %windows% directory so that the domain names of some popular search engines will resolve to the IP address 207.44.220.30.
The domain names are as follows:
www.google.akadns.net
www.google.com
google.com
www.altavista.com
altavista.com
search.yahoo.com
uk.search.yahoo.com
ca.search.yahoo.com
jp.search.yahoo.com
au.search.yahoo.com
de.search.yahoo.com
search.yahoo.co.jp
www.lycos.de
www.lycos.ca
www.lycos.jp
www.lycos.co.jp
alltheweb.com
web.ask.com
ask.com
www.ask.com
www.teoma.com
search.aol.com
www.looksmart.com
auto.search.msn.com
search.msn.com
ca.search.msn.com
fr.ca.search.msn.com
search.fr.msn.be
search.fr.msn.ch
search.latam.yupimsn.com
search.msn.at
search.msn.be
search.msn.ch
search.msn.co.in
search.msn.co.jp
search.msn.co.kr
search.msn.com.br
search.msn.com.hk
search.msn.com.my
search.msn.com.sg
search.msn.com.tw
search.msn.co.za
search.msn.de
search.msn.dk
search.msn.es
search.msn.fi
search.msn.fr
search.msn.it
search.msn.nl
search.msn.no
search.msn.se
search.ninemsn.com.au
search.t1msn.com.mx
search.xtramsn.co.nz
search.yupimsn.com
uk.search.msn.com
search.lycos.com
www.lycos.com
www.google.ca
google.ca
www.google.uk
www.google.co.uk
www.google.com.au
www.google.co.jp
www.google.jp
www.google.at
www.google.be
www.google.ch
www.google.de
www.google.se
www.google.dk
www.google.fi
www.google.fr
www.google.com.gr
www.google.com.hk
www.google.ie
www.google.co.il
www.google.it
www.google.co.kr
www.google.com.mx
www.google.nl
www.google.co.nz
www.google.pl
www.google.pt
www.google.com.ru
www.google.com.sg
www.google.co.th
www.google.com.tr
www.google.com.tw
go.google.com
google.at
google.be
google.de
google.dk
google.fi
google.fr
google.com.hk
google.ie
google.co.il
google.it
google.co.kr
google.com.mx
google.nl
google.co.nz
google.pl
google.com.ru
google.com.sg
www.hotbot.com
hotbot.com
If the trojan finds that the services file existed in %windows%\system32\drivers\etc, the hosts file will be placed inside the %windows%\help directory instead.
The trojan will finally create the file %windows%\winlog as a marker and will exit.
Analysis by Oleg Petrovsky