Win32 Qhost: a Prolific Trojan

Page content

Description

Win32 Qhost is a Trojan that copies itself in the windows\system32 directory and attempts to modify the DNS settings of the infected computer system. It also creates several network connections in order to spread itself like connecting to IRC (Internet Relay Chat).

Risk Assessment

Home Users – LOW

Corporate Users – LOW

Trojan Characteristics

Filename: _itw_491.exe

Type: Trojan

Detection: Generic Qhost

Length: 359 Kb

Common Detection Names

Microsoft - Worm:Win32/Yoybot.gen

Kaspersky - Trojan.Win32.Qhost.cm

AVG (GriSoft) - generic13.cuz

Panda - suspicious file

Activity

Win32 Qhost performs a number of activities whose risk level ranges from low to critical in order to infect the system. As a first critical symptom, it enumerates the list of running processes in the system and injects itself in the memory of these processes and modifies the memory footprints. It also enumerates the list of open windows and uses shared memory of a running process to execute its code. Like other Trojans and viruses, Win32 Qhost also adds a number of .exe and .dll files in the windows\system32 directory and adds new entries or modifies existing entries in the system registry to cripple the operating system.

Apart from that, it opens a number of network connections to download and execute malicious content on the infected computer. It also connects to IRC (Internet Relay Chat).

How it Works

Win32 Qhost copies a file named shvhost.exe and executes it as a process during startup. The process name is similar to windows generic process “svshost.exe” and that is why, a user is unable to detect the presence of this Trojan. Like other Trojans, it also writes several executable files in the system32 directory of windows along with copying some other files in the program files directory. The Filename - _itw_491.exe, mentioned above can be found in the user_profile\local settings\temp directory, which confirms the presence of Win32 Qhost Trojan.

It also creates several network connections to steal personal and other important information from the system.

Removal Instructions

In order to remove Win32 Qhost Trojan, you first need to disable system restore and then, perform a thorough scan using Trojan Remover. Trojan Remover is highly effective in restoring the values of the registry keys to their original state that have been modified by this Trojan. After correcting the registry keys, you will be asked to reboot the system. Restart the system and perform another scan to ensure 100% safety.