W32/Qhosts.A!tr
Analysis
- This Trojan is coded in VBScript with an .HTA extension
(HTML Application)
- The Trojan contains instructions to extract and
create a binary executable as undefinedWindowsundefined\System\AOLFIX.exe
- the Trojan uses an Object tag to initiate its code
as a Windows Script Host Shell Object
- When the .HTA file containing VBScript code is
initiated, it is run with local supervisory rights
via MSHTA.EXE
- AOLFIX.EXE contains instructions to create a HOSTS
domain resolution file into the path "undefinedSystemRootundefined\help"
- the new HOSTS file redirects access to the following
websites to a single website (207.44.220.30) in an
effort to drive traffic to that site -
www.google.akadns.net
www.google.com
google.com
www.altavista.com
altavista.com
search.yahoo.com
uk.search.yahoo.com
ca.search.yahoo.com
jp.search.yahoo.com
au.search.yahoo.com
de.search.yahoo.com
search.yahoo.co.jp
www.lycos.de
www.lycos.ca
www.lycos.jp
www.lycos.co.jp
alltheweb.com
web.ask.com
ask.com
www.ask.com
www.teoma.com
search.aol.com
www.looksmart.com
auto.search.msn.com
search.msn.com
ca.search.msn.com
fr.ca.search.msn.com
search.fr.msn.be
search.fr.msn.ch
search.latam.yupimsn.com
search.msn.at
search.msn.be
search.msn.ch
search.msn.co.in
search.msn.co.jp
search.msn.co.kr
search.msn.com.br
search.msn.com.hk
search.msn.com.my
search.msn.com.sg
search.msn.com.tw
search.msn.co.za
search.msn.de
search.msn.dk
search.msn.es
search.msn.fi
search.msn.fr
search.msn.it
search.msn.nl
search.msn.no
search.msn.se
search.ninemsn.com.au
search.t1msn.com.mx
search.xtramsn.co.nz
search.yupimsn.com
uk.search.msn.com
search.lycos.com
www.lycos.com
www.google.ca
google.ca
www.google.uk
www.google.co.uk
www.google.com.au
www.google.co.jp
www.google.jp
www.google.at
www.google.be
www.google.ch
www.google.de
www.google.se
www.google.dk
www.google.fi
www.google.fr
www.google.com.gr
www.google.com.hk
www.google.ie
www.google.co.il
www.google.it
www.google.co.kr
www.google.com.mx
www.google.nl
www.google.co.nz
www.google.pl
www.google.pt
www.google.com.ru
www.google.com.sg
www.google.co.th
www.google.com.tr
www.google.com.tw
go.google.com
google.at
google.be
google.de
google.dk
google.fi
google.fr
google.com.hk
google.ie
google.co.il
google.it
google.co.kr
google.com.mx
google.nl
google.co.nz
google.pl
google.com.ru
google.com.sg
www.hotbot.com
hotbot.com
-
The Trojan makes an adjustment to the registry to the new HOSTS file will be used -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
"DataBasePath" = undefinedSystemRootundefined\helpHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\
"DataBasePath" = undefinedSystemRootundefined\helpHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\
"DataBasePath" = undefinedSystemRootundefined\help
* Original value may have been [undefinedSystemRootundefined\System32\drivers\etc]
-
The Trojan then makes changes to the registry such as setting the IE start page to "google.com" which results in a redirection to the IP 207.44.220.30 -
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
"Search Bar" = http://www.google.com/ie
"Use Search Asst" = noHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\
"(Default)" = http://www.google.com/keyword/undefineds
-
The Trojan makes the following adjustments to the registry essentially reassigning DNS entry on the infected system, among other changes -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\Interfaces\{3A894951-8A04-461E-A4D2-25641809558E}\
"NameServer" = 69.57.146.14,69.57.147.175HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\Interfaces\{E3654B78-2100-4E8D-921D-45611F307337}\
"NameServer" = 69.57.146.14,69.57.147.175HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\Interfaces\windows\
"NameServer" = 69.57.146.14,69.57.147.175
"r0x" = your s0xHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\MSTCP\
"Domain" = mydomain.com
"EnableDNS" = 1
"NameServer" = 69.57.146.14,69.57.147.175HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
Parameters\Interfaces\{3A894951-8A04-461E-A4D2-25641809558E}\
"NameServer" = 69.57.146.14,69.57.147.175HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
Parameters\Interfaces\{E3654B78-2100-4E8D-921D-45611F307337}\
"NameServer" = 69.57.146.14,69.57.147.175HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
Parameters\Interfaces\windows\
"NameServer" = 69.57.146.14,69.57.147.175
"r0x" = your s0xHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VxD\MSTCP\
"Domain" = mydomain.com
"EnableDNS" = 1
"NameServer" = 69.57.146.14,69.57.147.175HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\
Parameters\Interfaces\{3A894951-8A04-461E-A4D2-25641809558E}\
"NameServer" = 69.57.146.14,69.57.147.175HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\
Parameters\Interfaces\{E3654B78-2100-4E8D-921D-45611F307337}\
"NameServer" = 69.57.146.14,69.57.147.175HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\
Parameters\Interfaces\windows\
"NameServer" = 69.57.146.14,69.57.147.175
"r0x" = your s0x
-
The Trojan alters existing key values in the registry with its own criteria -
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
"Search Page" = http://www.google.comHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\
"provider" = goglHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\
"MigrateProxy" = 00, 00, 00, 00* Original value may have been [01, 00, 00, 00]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\
"SearchAssistant" = http://www.google.com/ieHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\MSTCP\
"HostName" = hostHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VxD\MSTCP\
"HostName" = hostHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\
Interfaces\{8870A8C0-3355-4DF1-BF37-AFE700F47881}
"NameServer" = 69.57.146.14,69.57.147.175
-
Lastly, the VBScript may delete the file AOLFIX.EXE
Recommended Action
- Disallow ActiveX when viewing web pages
- If your organization does not use HTML application
file types for normal business use, delete the registry
key associated with HTML Application file types, which
ultimately access MSHTA.EXE locally -
HKEY_CLASSES_ROOT\.htaPrior to deleting this key, users should back up the registry
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |