TROJ_QHOST.DUKLB
TrojanProxy:Win32/Potukorp.A (Microsoft), Trojan horse Proxy.E (AVG), W32/Qhost_Banker.OW!tr (Fortinet)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %Program Files%\Common Files\{malware file name}.exe
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It drops the following files:
- %System Root%\koreautoup.bmp
- %System%\drivers\etc\hosts.ics
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
koreaautoup = %Program Files%\Common Files\{malware file name}.exe
Web Browser Home Page and Search Page Modification
This Trojan modifies the user's Internet Explorer home page to the following websites:
- http://www.naver.com
HOSTS File Modification
This Trojan adds the following strings to the Windows HOSTS file:
- {BLOCKED}.{BLOCKED}.173.89 kBstar.coM
- {BLOCKED}.{BLOCKED}.173.89 www.kBstar.coM
- {BLOCKED}.{BLOCKED}.173.89 OpeN.kBstar.coM
- {BLOCKED}.{BLOCKED}.173.89 omoNey.kBstar.coM
- {BLOCKED}.{BLOCKED}.173.89 oBaNk.kBstar.coM
- {BLOCKED}.{BLOCKED}.173.89 oBaNk1.kBstar.coM
- {BLOCKED}.{BLOCKED}.173.89 Naver.coM
- {BLOCKED}.{BLOCKED}.173.89 www.Naver.co.KR
- {BLOCKED}.{BLOCKED}.173.89 Naver.cO.kR
- {BLOCKED}.{BLOCKED}.173.89 wwW.gMarKet.cO.Kr
- {BLOCKED}.{BLOCKED}.173.89 NoNghyup.coM
- {BLOCKED}.{BLOCKED}.173.89 www.NoNghyup.coM
- {BLOCKED}.{BLOCKED}.173.89 BaNkiNg.NoNghyup.coM
- {BLOCKED}.{BLOCKED}.173.89 iBz.NoNghyup.coM
- {BLOCKED}.{BLOCKED}.173.89 www.Naver.coM
- {BLOCKED}.{BLOCKED}.173.89 GmArkEt.Co.kR
- {BLOCKED}.{BLOCKED}.173.89 shiNhaN.coM
- {BLOCKED}.{BLOCKED}.173.89 Naver.kR
- {BLOCKED}.{BLOCKED}.173.89 www.Naver.Kr
- {BLOCKED}.{BLOCKED}.173.89 WwW.gMArkeT.coM
- {BLOCKED}.{BLOCKED}.173.89 gMaRKet.CoM
- {BLOCKED}.{BLOCKED}.173.89 kIsA.kBstor.coM
- {BLOCKED}.{BLOCKED}.173.89 kIsA.Nenghuyp.coM
- {BLOCKED}.{BLOCKED}.173.89 kIsA.shiNhoN.coM
- {BLOCKED}.{BLOCKED}.173.89 kIsA.wooribenk.coM
- {BLOCKED}.{BLOCKED}.173.89 kIsA.idk.co.kR
- {BLOCKED}.{BLOCKED}.173.89 kIsA.epostbenk.go.kR
- {BLOCKED}.{BLOCKED}.173.89 kIsA.hoNabenk.coM
- {BLOCKED}.{BLOCKED}.173.89 kIsA.kcB.co.kR
- {BLOCKED}.{BLOCKED}.173.89 kIsA.kfoc.co.kR
- {BLOCKED}.{BLOCKED}.173.89 www.NaTe.nEt
- {BLOCKED}.{BLOCKED}.173.89 wWw.GmaRket.nEt
- {BLOCKED}.{BLOCKED}.173.89 www.NaTe.Kr
- {BLOCKED}.{BLOCKED}.173.89 NaTe.kR
- {BLOCKED}.{BLOCKED}.173.89 gMARkeT.Net
- {BLOCKED}.{BLOCKED}.173.89 pharmiNg.kIsA.or.kR
- {BLOCKED}.{BLOCKED}.173.89 www.shiNhaN.coM
- {BLOCKED}.{BLOCKED}.173.89 BaNkiNg.shiNhaN.coM
- {BLOCKED}.{BLOCKED}.173.89 BizBaNk.shiNhaN.coM
- {BLOCKED}.{BLOCKED}.173.89 OpeN.shiNhaN.coM
- {BLOCKED}.{BLOCKED}.173.89 daUm.NeT
- {BLOCKED}.{BLOCKED}.173.89 iBk.co.kR
- {BLOCKED}.{BLOCKED}.173.89 www.NaTe.cO.kr
- {BLOCKED}.{BLOCKED}.173.89 NaTe.Co.Kr
- {BLOCKED}.{BLOCKED}.173.89 www.iBk.co.kR
- {BLOCKED}.{BLOCKED}.173.89 myBaNk.iBk.co.kR
- {BLOCKED}.{BLOCKED}.173.89 kiup.iBk.co.kR
- {BLOCKED}.{BLOCKED}.173.89 OpeN.iBk.co.kR
- {BLOCKED}.{BLOCKED}.173.89 www.daum.NeT
- {BLOCKED}.{BLOCKED}.173.89 wooriBaNk.coM
- {BLOCKED}.{BLOCKED}.173.89 www.wooriBaNk.coM
- {BLOCKED}.{BLOCKED}.173.89 piB.wooriBaNk.coM
- {BLOCKED}.{BLOCKED}.173.89 u.wooriBaNk.coM
- {BLOCKED}.{BLOCKED}.173.89 haNmail.NeT
- {BLOCKED}.{BLOCKED}.173.89 keB.co.kR
- {BLOCKED}.{BLOCKED}.173.89 www.keB.co.kR
- {BLOCKED}.{BLOCKED}.173.89 eBaNk.keB.co.kR
- {BLOCKED}.{BLOCKED}.173.89 oNliNe.keB.co.kR
- {BLOCKED}.{BLOCKED}.173.89 OpeN.keB.co.kR
- {BLOCKED}.{BLOCKED}.173.89 www.haNmail.Net
- {BLOCKED}.{BLOCKED}.173.89 haNaBaNk.coM
- {BLOCKED}.{BLOCKED}.173.89 www.haNaBaNk.coM
- {BLOCKED}.{BLOCKED}.173.89 OpeN.haNaBaNk.coM
- {BLOCKED}.{BLOCKED}.173.89 www.haNacBs.coM
- {BLOCKED}.{BLOCKED}.173.89 kfCc.co.kR
- {BLOCKED}.{BLOCKED}.173.89 www.kfcc.co.kR
- {BLOCKED}.{BLOCKED}.173.89 iBs.kfcc.co.kR
- {BLOCKED}.{BLOCKED}.173.89 epostBaNk.go.kR
- {BLOCKED}.{BLOCKED}.173.89 www.epostBaNk.go.kR
- {BLOCKED}.{BLOCKED}.173.89 nAtE.coM
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}r.{BLOCKED}e.qq.com
- {BLOCKED}ard.co.kr
- {BLOCKED}2.{BLOCKED}s.com