arrow_back
search
close

TROJ_QHOST.DUKLB

May 08, 2014
 Analysis by: Al Victor de Leon
 ALIASES:

TrojanProxy:Win32/Potukorp.A (Microsoft), Trojan horse Proxy.E (AVG), W32/Qhost_Banker.OW!tr (Fortinet)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.

  TECHNICAL DETAILS

File Size:

22,901 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

08 May 2014

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Program Files%\Common Files\{malware file name}.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It drops the following files:

  • %System Root%\koreautoup.bmp
  • %System%\drivers\etc\hosts.ics

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
koreaautoup = %Program Files%\Common Files\{malware file name}.exe

Web Browser Home Page and Search Page Modification

This Trojan modifies the user's Internet Explorer home page to the following websites:

  • http://www.naver.com

HOSTS File Modification

This Trojan adds the following strings to the Windows HOSTS file:

  • {BLOCKED}.{BLOCKED}.173.89 kBstar.coM
  • {BLOCKED}.{BLOCKED}.173.89 www.kBstar.coM
  • {BLOCKED}.{BLOCKED}.173.89 OpeN.kBstar.coM
  • {BLOCKED}.{BLOCKED}.173.89 omoNey.kBstar.coM
  • {BLOCKED}.{BLOCKED}.173.89 oBaNk.kBstar.coM
  • {BLOCKED}.{BLOCKED}.173.89 oBaNk1.kBstar.coM
  • {BLOCKED}.{BLOCKED}.173.89 Naver.coM
  • {BLOCKED}.{BLOCKED}.173.89 www.Naver.co.KR
  • {BLOCKED}.{BLOCKED}.173.89 Naver.cO.kR
  • {BLOCKED}.{BLOCKED}.173.89 wwW.gMarKet.cO.Kr
  • {BLOCKED}.{BLOCKED}.173.89 NoNghyup.coM
  • {BLOCKED}.{BLOCKED}.173.89 www.NoNghyup.coM
  • {BLOCKED}.{BLOCKED}.173.89 BaNkiNg.NoNghyup.coM
  • {BLOCKED}.{BLOCKED}.173.89 iBz.NoNghyup.coM
  • {BLOCKED}.{BLOCKED}.173.89 www.Naver.coM
  • {BLOCKED}.{BLOCKED}.173.89 GmArkEt.Co.kR
  • {BLOCKED}.{BLOCKED}.173.89 shiNhaN.coM
  • {BLOCKED}.{BLOCKED}.173.89 Naver.kR
  • {BLOCKED}.{BLOCKED}.173.89 www.Naver.Kr
  • {BLOCKED}.{BLOCKED}.173.89 WwW.gMArkeT.coM
  • {BLOCKED}.{BLOCKED}.173.89 gMaRKet.CoM
  • {BLOCKED}.{BLOCKED}.173.89 kIsA.kBstor.coM
  • {BLOCKED}.{BLOCKED}.173.89 kIsA.Nenghuyp.coM
  • {BLOCKED}.{BLOCKED}.173.89 kIsA.shiNhoN.coM
  • {BLOCKED}.{BLOCKED}.173.89 kIsA.wooribenk.coM
  • {BLOCKED}.{BLOCKED}.173.89 kIsA.idk.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 kIsA.epostbenk.go.kR
  • {BLOCKED}.{BLOCKED}.173.89 kIsA.hoNabenk.coM
  • {BLOCKED}.{BLOCKED}.173.89 kIsA.kcB.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 kIsA.kfoc.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 www.NaTe.nEt
  • {BLOCKED}.{BLOCKED}.173.89 wWw.GmaRket.nEt
  • {BLOCKED}.{BLOCKED}.173.89 www.NaTe.Kr
  • {BLOCKED}.{BLOCKED}.173.89 NaTe.kR
  • {BLOCKED}.{BLOCKED}.173.89 gMARkeT.Net
  • {BLOCKED}.{BLOCKED}.173.89 pharmiNg.kIsA.or.kR
  • {BLOCKED}.{BLOCKED}.173.89 www.shiNhaN.coM
  • {BLOCKED}.{BLOCKED}.173.89 BaNkiNg.shiNhaN.coM
  • {BLOCKED}.{BLOCKED}.173.89 BizBaNk.shiNhaN.coM
  • {BLOCKED}.{BLOCKED}.173.89 OpeN.shiNhaN.coM
  • {BLOCKED}.{BLOCKED}.173.89 daUm.NeT
  • {BLOCKED}.{BLOCKED}.173.89 iBk.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 www.NaTe.cO.kr
  • {BLOCKED}.{BLOCKED}.173.89 NaTe.Co.Kr
  • {BLOCKED}.{BLOCKED}.173.89 www.iBk.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 myBaNk.iBk.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 kiup.iBk.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 OpeN.iBk.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 www.daum.NeT
  • {BLOCKED}.{BLOCKED}.173.89 wooriBaNk.coM
  • {BLOCKED}.{BLOCKED}.173.89 www.wooriBaNk.coM
  • {BLOCKED}.{BLOCKED}.173.89 piB.wooriBaNk.coM
  • {BLOCKED}.{BLOCKED}.173.89 u.wooriBaNk.coM
  • {BLOCKED}.{BLOCKED}.173.89 haNmail.NeT
  • {BLOCKED}.{BLOCKED}.173.89 keB.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 www.keB.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 eBaNk.keB.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 oNliNe.keB.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 OpeN.keB.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 www.haNmail.Net
  • {BLOCKED}.{BLOCKED}.173.89 haNaBaNk.coM
  • {BLOCKED}.{BLOCKED}.173.89 www.haNaBaNk.coM
  • {BLOCKED}.{BLOCKED}.173.89 OpeN.haNaBaNk.coM
  • {BLOCKED}.{BLOCKED}.173.89 www.haNacBs.coM
  • {BLOCKED}.{BLOCKED}.173.89 kfCc.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 www.kfcc.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 iBs.kfcc.co.kR
  • {BLOCKED}.{BLOCKED}.173.89 epostBaNk.go.kR
  • {BLOCKED}.{BLOCKED}.173.89 www.epostBaNk.go.kR
  • {BLOCKED}.{BLOCKED}.173.89 nAtE.coM

Other Details

This Trojan connects to the following possibly malicious URL:

  • {BLOCKED}r.{BLOCKED}e.qq.com
  • {BLOCKED}ard.co.kr
  • {BLOCKED}2.{BLOCKED}s.com