QHosts Trojan Last Updated 10/02/03 3:09PM

QHosts is a trojan that makes use of a new vulnerability in Microsoft's Internet Explorer to change DNS settings on Windows machines. There currently is no patch from Microsoft for this vulnerability. The trojan is spread by visiting webpages that host the malicious code.

One known file dropped by this trojan is AOLFix.exe. This file is dropped in the Windows System directory and the Windows temp directory.

Once the Trojan is run it will create a batch file to change the DNS server for the machine. The DNS address is known to be changed to one of the Following:

• 69.57.146.14
• 69.57.147.175

The trojan may also change the %Windows%host file and may make changes to the registry.

The trojan is detected and removed by the current DAT/SuperDAT 4296 released by NAI. Symantec release an IntelligentUpdate package to detect and remove this trojan. This file is available here

For more information see:

http://vil.nai.com/vil/content/v_100719.htm from NAI.
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.