Pin Me

What is Win32 Qhost?

written by: •edited by: Bill Bunter•updated: 6/9/2010

A Trojan that modifies DNS settings of a computer system, creates several network connections and download malicious content from the internet.

  • slide 1 of 7

    Description

    Win32 Qhost is a Trojan that copies itself in the windows\system32 directory and attempts to modify the DNS settings of the infected computer system. It also creates several network connections in order to spread itself like connecting to IRC (Internet Relay Chat).

  • slide 2 of 7

    Risk Assessment

    Home Users – LOW

    Corporate Users – LOW

  • slide 3 of 7

    Trojan Characteristics

    Filename: _itw_491.exe

    Type: Trojan

    Detection: Generic Qhost

    Length: 359 Kb

  • slide 4 of 7

    Common Detection Names

    Microsoft - Worm:Win32/Yoybot.gen

    Kaspersky - Trojan.Win32.Qhost.cm

    AVG (GriSoft) - generic13.cuz

    Panda - suspicious file

  • slide 5 of 7

    Activity

    Win32 Qhost performs a number of activities whose risk level ranges from low to critical in order to infect the system. As a first critical symptom, it enumerates the list of running processes in the system and injects itself in the memory of these processes and modifies the memory footprints. It also enumerates the list of open windows and uses shared memory of a running process to execute its code. Like other Trojans and viruses, Win32 Qhost also adds a number of .exe and .dll files in the windows\system32 directory and adds new entries or modifies existing entries in the system registry to cripple the operating system.

    Apart from that, it opens a number of network connections to download and execute malicious content on the infected computer. It also connects to IRC (Internet Relay Chat).

  • slide 6 of 7

    How it Works

    Win32 Qhost copies a file named shvhost.exe and executes it as a process during startup. The process name is similar to windows generic process “svshost.exe” and that is why, a user is unable to detect the presence of this Trojan. Like other Trojans, it also writes several executable files in the system32 directory of windows along with copying some other files in the program files directory. The Filename - _itw_491.exe, mentioned above can be found in the user_profile\local settings\temp directory, which confirms the presence of Win32 Qhost Trojan.

    It also creates several network connections to steal personal and other important information from the system.

  • slide 7 of 7

    Removal Instructions

    In order to remove Win32 Qhost Trojan, you first need to disable system restore and then, perform a thorough scan using Trojan Remover. Trojan Remover is highly effective in restoring the values of the registry keys to their original state that have been modified by this Trojan. After correcting the registry keys, you will be asked to reboot the system. Restart the system and perform another scan to ensure 100% safety.