BKDR_VKHOST


 ALIASES:

ClamAV: Vkhost; Fortinet: Qhost; Ikarus: VkHost; Eset: Qhost; Panda: Qbot; VBA32: VkHost

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

VKHOST variants are downloader malware that modify the affected system's HOSTS files to prevent a user from accessing certain websites.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Drops files, Downloads files

Installation

This backdoor drops the following non-malicious files:

  • %User Temp%\b.ico
  • %User Temp%\dumb13145
  • %User Temp%\{random}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Autostart Technique

This backdoor drops the following shortcut pointing to its copy in the User Startup folder to enable its automatic execution at every system startup:

  • {random}.lnk

Dropping Routine

This backdoor drops the following files:

  • %User Temp%\{random}.vbs

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Download Routine

This backdoor saves the files it downloads using the following names:

  • %User Temp%\{random1}
  • %User Temp%\{random}.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}x.{BLOCKED}es.info/js/data/ex.dll
  • http://{BLOCKED}a.{BLOCKED}q.info/js/data/ex.dll
  • http://{BLOCKED}o.{BLOCKED}es.info/js/data/ex.dll
  • http://{BLOCKED}v.{BLOCKED}ick.info/js/data/ex.dll
  • http://{BLOCKED}l.{BLOCKED}r.info/js/data/ex.dll
  • http://{BLOCKED}f.{BLOCKED}r.info/js/data/ex.dll