My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Qhost.WU

LOW
MEDIUM
2048
(Trojan.Win32.Qhost.wu, Trojan.Qhost.45077, W32/Trojan2.JRR, W32/Qhost.WU!tr, TR/Qhost.WU, Win32:Qhost-BGZ [Trj])

Symptoms

  • The pages which normally contain advertisement from Google either don't display the advertisement or display advertisement from an other source (not Google)
  • The "hosts" file used to provide a local storage for domain name / IP mappings contains a line redirecting the host "page2.googlesyndication.com"

To check if you are affected, you should issue the following command (from the command line or from Start -> Run):

ping -t pagead2.googlesyndication.com

The response should look similar to this:

Pinging pagead.l.google.com [6x.xxx.xxx.xxx] with 32 bytes of data:

where the x's represent digits. If you are not infected, the first digit will be a 6 (as in the example). If you are infected, the first digit will be a 9.

Removal instructions:

Please let BitDefender delete the infected files. To restore the "hosts" file, remove the line from it containing "pagead2.googlesyndication.com"

Analyzed By

Attila Balazs, virus researcher

Technical Description:

Google Adsense is a service offered by Google which places advertisements in web pages. The advertisements are targeted (meaning that they are in concordance with the topic of the webpage), making them more effective. The revenue from every click on the advertisements is shared between Google and the webpage owner.

The embedding of the advertisements is done by including a small piece of HTML / JavaScript (provided by Google) in the webpages which should present the advertisements by the webmaster. This code contacts the Google Adsense servers which delivers the targeted advertisements.

This malware uses the "hosts" file (located in the "%WINDIR%\System32\drivers\etc" directory) to redirect the initial query to the Google Adsense servers to a malicious host. This file is used as a first step in the name / IP translation process and if an entry is located in this file, the domain name server is not queried. The malware creates an entry redirecting pagead2.googlesyndication.com to a rogue server.

This server, rather than displaying advertisements from Google, display advertisements from a third party services. This damages both users (because the advertisements and/or the linked sites may contain malicious code - a very likely situation, given that they are promoted using malware in the first place) and webmasters (because they take away viewers and thus possible money sources from their websites).