(Trojan.Win32.Qhost.wu, Trojan.Qhost.45077, W32/Trojan2.JRR, W32/Qhost.WU!tr, TR/Qhost.WU, Win32:Qhost-BGZ [Trj])
- The pages which normally contain advertisement from Google either don't display the advertisement or display advertisement from an other source (not Google)
- The "hosts" file used to provide a local storage for domain name / IP mappings contains a line redirecting the host "page2.googlesyndication.com"
To check if you are affected, you should issue the following command (from the command line or from Start -> Run):
ping -t pagead2.googlesyndication.com
The response should look similar to this:
Pinging pagead.l.google.com [6x.xxx.xxx.xxx] with 32 bytes of data:
where the x's represent digits. If you are not infected, the first digit will be a 6 (as in the example). If you are infected, the first digit will be a 9.
Please let BitDefender delete the infected files. To restore the "hosts" file, remove the line from it containing "pagead2.googlesyndication.com"
Attila Balazs, virus researcher
Google Adsense is a service offered by Google which places advertisements in web pages. The advertisements are targeted (meaning that they are in concordance with the topic of the webpage), making them more effective. The revenue from every click on the advertisements is shared between Google and the webpage owner.
This malware uses the "hosts" file (located in the "%WINDIR%\System32\drivers\etc" directory) to redirect the initial query to the Google Adsense servers to a malicious host. This file is used as a first step in the name / IP translation process and if an entry is located in this file, the domain name server is not queried. The malware creates an entry redirecting pagead2.googlesyndication.com to a rogue server.
This server, rather than displaying advertisements from Google, display advertisements from a third party services. This damages both users (because the advertisements and/or the linked sites may contain malicious code - a very likely situation, given that they are promoted using malware in the first place) and webmasters (because they take away viewers and thus possible money sources from their websites).