Trojan Takes Over Browser, Changes DNS Server Setting October 2, 2003 Several security vendors Thursday issued alerts for QHosts-1, a Trojan whose purpose is to "hijack" browser use. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing, according to Mcafee. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site. The operations of the Trojan are as follows: 1. A user is directed to a Web site that contains Exploit-ObjectData code. NOTE: The MS03-032 patch does not protect against this attack vector. This allows for the automatic execution of VBScript contained in an HTML file (x.hta) 2. This VBScript drops the file AOLFIX.exe in the %TEMP% directory 3. This dropped AOLFIX.exe is run, which may perform different tasks (2 variants are known to exist) 4. The VBScript creates the file O.BAT, which cleans up after the Trojan by deleting the dropped AOLFIX.exe file and the O.BAT file. More information is at this McAfee page. According to Sophos, Troj/Qhosts-1 is a Trojan that changes the Windows primary DNS server setting so that all infected machines use the same host for the DNS queries. If the number of infected computers is high, it may effectively launch a denial of service attack on the DNS server. Troj/Qhosts-1 also "hijacks" Internet Explorer browser usage so that the Web requests are redirected to the server chosen by the Trojan writer. The Trojan is installed and run if a user visits a web page that exploits a vulnerability in Internet Explorer. A VB script embedded in the Web page is run automatically when the page is viewed using Internet Explorer. The VB script drops and runs file aolfix.exe to the user's temporary folder. Aolfix.exe is a Windows batch file that is converted to the Windows binary executable using the demo version of the Batch file Compiler V5.1 utility. Aolfix.exe creates a hidden folder bdtmp\tmp, extracts a batch file with a random name and runs the batch file. The batch file creates several files in the Windows folder. The file Hosts is responsible for Internet Explorer "hijack". Troj/Qhosts-1 copies the file HOSTS into the folder \Help and appends the original HOST file to it. More information is at this Sophos page. Trojan.Qhosts is a Trojan that will modify the TCP/IP settings to point to a different DNS server, according to Symantec. Trojan.Qhosts does not have the ability to spread. For a machine to become infected a user must open an html page that contains the means to open the viral html file on the target's machine such that the script is able to create and run the malicious executable. Technical details are at this Symantec page. Excel Virus Creates File XF97/Wisab-A is an Excel formula virus that spreads using a Formula Sheet called XL4Test5. The virus creates a file in the XLSTART directory called BOOK1. For instructions on disinfecting macro viruses, visit this Sophos page. Worm Mails Itself Out, Uploads User Information to Server W32.Logitall.A@mm is a mass-mailing worm that sends itself to the addresses found on the system. The worm also uploads user information to an FTP server that the worm's author specifies. Technical details are at this Symantec page. VB Worm Sends Email About Attached Picture VBS.Mill.H is a Visual Basic Script worm that uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book. It also attempts to spread itself through KaZaA, Pirch, and mIRC. The email has the following characteristics: Subject: my picture Message: check out the attached pic Attachment: The attachment file name will vary. Find out what happens when the worm is run, at this Symantec page. Trojan Modifes Some IE Settings Js.Seeker.K is a Trojan Horse that uses the Windows Scripting Host (WSH) to run. It modifies some Internet Explorer settings and adds a shortcut to the Favorites folder. More information is at this Symantec page.

Today's roundup of virus alerts: Nothing new to report today, so we bring you Central Command's Dirty Dozen for September 2003: 1. Worm/Sobig.F 2. Worm/Gibe.C 3. Worm/Nachi.A 4. Worm/Dumaru.A 5. Worm/Klez.E (including G) 6. Worm/MiMail.A 7. Worm/Lovsan.A 8. Worm/BugBear.B 9. Worm/Sobig.A 10. Worm/Sircam.A 11. W32/Funlove 12. W32/Yaha.E

Thanks! So that is what it was. I go hit by this QHosts-1 very early Monday morning. Noticed it by accident when checking LAN settings. Noticed the "strange" DNS setting where there should not be one. Then discovered the junk added to my HOSTS file. Nothing detected a Virus/Trojan (had all Windows Updates too), but SpyBot found a few things in the TEMP folder and deleted. I removed the DSN (kept coming back) and fixed the HOSTS file, but IE developed a strange problem. When you entered a URL, nothing would happen! Then after about 5 minutes that browser window would start working. You could clone the window and it would work, but any new IE window would not work for 5 minutes. Rebuilt IE, no fix. Removed and reinstalled IE, no fix. Reinstalled Windows ME and then IE and did the updates and everything was back to normal. I missed the copy of the HOSTS file over in Windows\HELP. So thanks for post. Looks like I will have to scan again and see if AV now picks up any part of it that I missed. Looks like I got it before the AV sites had fixes for it.

Thanks wawadave, and thanks JackG for sharing the info. tommyo

thx for the up date on qhost jackg Panda Software warns about the Trojan Hatoy - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, October 2, 2003 - The free online antivirus solution, Panda ActiveScan, has detected a significant increase in the number of computer affected by the Trojan Hatoy (Trj/Hatoy.A), first detected by PandaLabs a few days ago. This malicious code is designed to change the TCP/IP settings of computers so that they point to a different DNS server than the one they had configured. Basically, DNS servers ensure that when a user enters an address in the Internet browser, the corresponding website is displayed. For this reason, the main effect of Hatoy is that when users try to connect to any web page, it re-routes them to a different page selected by the virus author. Hatoy cannot spread by itself and therefore, the only way a user can become infected is by visiting web pages that have been especially constructed to exploit the Object Type vulnerability that affects the browser Microsoft Internet Explorer. This security flaw allows files contained in web pages that exploit this vulnerability to be automatically run. More information about this vulnerability and the patch that fixes it are available at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS03-032.asp As a result, if users visit a web page that has been especially designed to automatically download and run Hatoy, their computers will be immediately infected. Once it has been installed on a computer, this Trojan modifies the Windows registry and creates several files. Due to means of transmission used by this malicious code, it is suspected that the address of a website designed to distribute Hatoy has been sent as spam. This would explain why the number of incidents caused by this Trojan has significantly increased several days after it appeared. According to data collected by the free online antivirus, Panda ActiveScan, the number of computers infected by this Trojan has is rising. Therefore, in order to avoid being infected by Hatoy, Panda Software advises users to treat all e-mails received with caution and to update their antivirus solutions immediately. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate Hatoy. Those whose software is not configured to update automatically, should update their solutions from http://www.pandasoftware.com. Users can also scan their computers using the free, online antivirus, Panda ActiveScan, which is available on the company's website at http://www.pandasoftware.com. For more information about Hatoy and other malicious code, visit Panda Software's Virus Encyclopedia at the following address: http://www.pandasoftware.com/virus_info/encyclopedia/. Additional information - Trojan: Strictly speaking, a Trojan is not a virus, although it is often thought of as such. Really they are programs that, enter computers (in a number of ways), and carry out actions that enable them to take control of the affected computer. - Vulnerability: Flaws or security holes in a program or IT system, and often used by viruses as a means of infection. More definitions of virus and antivirus terminology at: http://www.pandasoftware.com/virus_info/glossary/default.aspx NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the "cut" and "paste" options to join the pieces of the URL. --

Security experts have warned that a vulnerability that has apparently been left un-patched by Microsoft is being exploited by attackers "in the wild". The 'object type' vulnerability, which was first acknowledged publicly by Microsoft on 20 August this year, allows an attacker to take control of a system by embedding malicious code in a web page. If the web page is viewed by an Internet Explorer browser - even a fully patched browser - the malicious code embedded in the web page will execute, experts say. Despite Microsoft acknowledging the patch doesn't work, it evidently has not yet issued a working fix for the vulnerability. US-based information security company iDefense released a statement over the weekend claiming the vulnerability is being actively exploited "in the wild". "Whether you are patched or not, attackers can execute code on your computer at will when you visit a hostile website when using vulnerable versions of Internet Explorer," the statement read. The relevant Microsoft bulletin was issued on 20 August and last updated on 8 September. "Subsequent to issuing this security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability," Microsoft's security bulletin reads. "Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems." Managing director of mail filtering software company Clearswift, Chy Chuawiwat, told ZDNet Australia the vulnerability is serious. "It's definitely there and it continues to be easy to exploit," he said. "It could run anything and the users wouldn't know." Chuawiwat suggests users disable ActiveX controls and plug-ins until Microsoft issues a patch that fixes the vulnerability. "For most enterprises there's no need for ActiveX so it should be disabled," he said. "Our standard policy would remove executables including ActiveX." Users can disable ActiveX controls in their Internet Explorer settings by clicking Tools, Internet Options, Security, and then modifying the settings for the 'Internet Zone'. Ironically, in order to patch the system through Microsoft's WindowsUpdate website when a fix becomes available, users must allow ActiveX controls and plug-ins to run in the Internet Zone. Patrick Gray writes for ZDNet Australia Data Object Exploit patch fails! I did not shout loud enough. Activex will cause you grief. To set Internet Explorer to prompt you when an ActiveX control is loaded: My rule is, only allow microsuck. Go to Tools->Internet Options. Click on the Security tab. Click on the Custom Level button. Under the ActiveX section set the following controls to Prompt or disable: Download signed ActiveX controls Download unsigned ActiveX controls Initialize and script ActiveX controls not marked as safe Run ActiveX controls and plug-ins Script ActiveX controls marked safe for scripting Press the OK buttons to close the dialog boxes. Browser Security Tests http://www.jasons-toolbox.com/BrowserSecurity/ Thanks for your post Dave.

New patch out for the exploit; Cumulative Patch for Internet Explorer (828750)