W32/Qhosts.A!tr

description-logoAnalysis

  • This Trojan is coded in VBScript with an .HTA extension (HTML Application)
  • The Trojan contains instructions to extract and create a binary executable as undefinedWindowsundefined\System\AOLFIX.exe - the Trojan uses an Object tag to initiate its code as a Windows Script Host Shell Object
  • When the .HTA file containing VBScript code is initiated, it is run with local supervisory rights via MSHTA.EXE
  • AOLFIX.EXE contains instructions to create a HOSTS domain resolution file into the path "undefinedSystemRootundefined\help" - the new HOSTS file redirects access to the following websites to a single website (207.44.220.30) in an effort to drive traffic to that site -

    www.google.akadns.net
    www.google.com
    google.com
    www.altavista.com
    altavista.com
    search.yahoo.com
    uk.search.yahoo.com
    ca.search.yahoo.com
    jp.search.yahoo.com
    au.search.yahoo.com
    de.search.yahoo.com
    search.yahoo.co.jp
    www.lycos.de
    www.lycos.ca
    www.lycos.jp
    www.lycos.co.jp
    alltheweb.com
    web.ask.com
    ask.com
    www.ask.com
    www.teoma.com
    search.aol.com
    www.looksmart.com
    auto.search.msn.com
    search.msn.com
    ca.search.msn.com
    fr.ca.search.msn.com
    search.fr.msn.be
    search.fr.msn.ch
    search.latam.yupimsn.com
    search.msn.at
    search.msn.be
    search.msn.ch
    search.msn.co.in
    search.msn.co.jp
    search.msn.co.kr
    search.msn.com.br
    search.msn.com.hk
    search.msn.com.my
    search.msn.com.sg
    search.msn.com.tw
    search.msn.co.za
    search.msn.de
    search.msn.dk
    search.msn.es
    search.msn.fi
    search.msn.fr
    search.msn.it
    search.msn.nl
    search.msn.no
    search.msn.se
    search.ninemsn.com.au
    search.t1msn.com.mx
    search.xtramsn.co.nz
    search.yupimsn.com
    uk.search.msn.com
    search.lycos.com
    www.lycos.com
    www.google.ca
    google.ca
    www.google.uk
    www.google.co.uk
    www.google.com.au
    www.google.co.jp
    www.google.jp
    www.google.at
    www.google.be
    www.google.ch
    www.google.de
    www.google.se
    www.google.dk
    www.google.fi
    www.google.fr
    www.google.com.gr
    www.google.com.hk
    www.google.ie
    www.google.co.il
    www.google.it
    www.google.co.kr
    www.google.com.mx
    www.google.nl
    www.google.co.nz
    www.google.pl
    www.google.pt
    www.google.com.ru
    www.google.com.sg
    www.google.co.th
    www.google.com.tr
    www.google.com.tw
    go.google.com
    google.at
    google.be
    google.de
    google.dk
    google.fi
    google.fr
    google.com.hk
    google.ie
    google.co.il
    google.it
    google.co.kr
    google.com.mx
    google.nl
    google.co.nz
    google.pl
    google.com.ru
    google.com.sg
    www.hotbot.com
    hotbot.com

  • The Trojan makes an adjustment to the registry to the new HOSTS file will be used -
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
    "DataBasePath" = undefinedSystemRootundefined\help

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\
    "DataBasePath" = undefinedSystemRootundefined\help

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\
    "DataBasePath" = undefinedSystemRootundefined\help

    * Original value may have been [undefinedSystemRootundefined\System32\drivers\etc]

  • The Trojan then makes changes to the registry such as setting the IE start page to "google.com" which results in a redirection to the IP 207.44.220.30 -

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
    "Search Bar" = http://www.google.com/ie
    "Use Search Asst" = no

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\
    "(Default)" = http://www.google.com/keyword/undefineds

  • The Trojan makes the following adjustments to the registry essentially reassigning DNS entry on the infected system, among other changes -

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
    Parameters\Interfaces\{3A894951-8A04-461E-A4D2-25641809558E}\
    "NameServer" = 69.57.146.14,69.57.147.175

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
    Parameters\Interfaces\{E3654B78-2100-4E8D-921D-45611F307337}\
    "NameServer" = 69.57.146.14,69.57.147.175

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
    Parameters\Interfaces\windows\
    "NameServer" = 69.57.146.14,69.57.147.175
    "r0x" = your s0x

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\MSTCP\
    "Domain" = mydomain.com
    "EnableDNS" = 1
    "NameServer" = 69.57.146.14,69.57.147.175

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
    Parameters\Interfaces\{3A894951-8A04-461E-A4D2-25641809558E}\
    "NameServer" = 69.57.146.14,69.57.147.175

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
    Parameters\Interfaces\{E3654B78-2100-4E8D-921D-45611F307337}\
    "NameServer" = 69.57.146.14,69.57.147.175

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
    Parameters\Interfaces\windows\
    "NameServer" = 69.57.146.14,69.57.147.175
    "r0x" = your s0x

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VxD\MSTCP\
    "Domain" = mydomain.com
    "EnableDNS" = 1
    "NameServer" = 69.57.146.14,69.57.147.175

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\
    Parameters\Interfaces\{3A894951-8A04-461E-A4D2-25641809558E}\
    "NameServer" = 69.57.146.14,69.57.147.175

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\
    Parameters\Interfaces\{E3654B78-2100-4E8D-921D-45611F307337}\
    "NameServer" = 69.57.146.14,69.57.147.175

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\
    Parameters\Interfaces\windows\
    "NameServer" = 69.57.146.14,69.57.147.175
    "r0x" = your s0x

  • The Trojan alters existing key values in the registry with its own criteria -

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
    "Search Page" = http://www.google.com

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\
    "provider" = gogl

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings\
    "MigrateProxy" = 00, 00, 00, 00

    * Original value may have been [01, 00, 00, 00]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\
    "SearchAssistant" = http://www.google.com/ie

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\MSTCP\
    "HostName" = host

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VxD\MSTCP\
    "HostName" = host

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\
    Interfaces\{8870A8C0-3355-4DF1-BF37-AFE700F47881}
    "NameServer" = 69.57.146.14,69.57.147.175

  • Lastly, the VBScript may delete the file AOLFIX.EXE

recommended-action-logoRecommended Action

  • Disallow ActiveX when viewing web pages
  • If your organization does not use HTML application file types for normal business use, delete the registry key associated with HTML Application file types, which ultimately access MSHTA.EXE locally -
    HKEY_CLASSES_ROOT\.hta

    Prior to deleting this key, users should back up the registry

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-02-27 92.01957
2023-11-20 91.08976
2023-10-08 91.07670
2023-06-27 91.04592
2023-06-27 91.04590
2023-06-27 91.04583
2023-06-13 91.04163
2023-05-09 91.03106
2023-05-07 91.03051
2023-05-04 91.02955