New details have emerged about a mysterious Trojan that has been changing domain name server settings on systems since yesterday.
Dubbed QHost-1 by antivirus software vendors, the Trojan changes DNS settings and renders some network-dependent services such as e-mail and Web surfing unavailable for corporate users.
Fixing systems hit by QHost isn't difficult. Security service provider Counterpane Internet Security Inc. recommends changing the DNS server settings back to their original settings. One could also obtain DNS settings from DHCP. Correcting the registry keys created by QHost is another fix.
QHost takes advantage of a new "object type" vulnerability in Microsoft's Internet Explorer browser. Exploits were discovered last weekend, alerting security experts to the flaw, which is related to a flaw Microsoft patched in August.
QHost's success likely will be limited because the Trojan cannot spread on its own. Users must be lured to a malicious Web site.
The Trojan is injected onto a system when IE links to a site hosted by Web host FortuneCity.com. When the malicious page is rendered, a series of pop-under pages are rendered by another Web host, EV1.net. One of those pop-unders from EV1.net downloads a file called aolfix.exe that infects the system with QHost.
Once on a system, QHost first removes aolfix.exe. It also changes the DNS mapping for the computer, so all requests are routed through IP addresses determined by the Trojan's author. It also redirects popular search URLs such as google.com and altavista.com to a search site of the author's choosing.
Users of infected systems may not even realize they have it. When they browse, their DNS requests will be returned but they will also get "a whole bunch of pornography and gambling pop-ups," said Russ Cooper, surgeon general at TruSecure Corp.
The Trojan does pose a privacy risk to users, because its author can obtain a record of what pages were requested. Also, the Trojan could cause problems for companies that block outbound DNS requests. Since the Trojan routes such requests outside of the company, users lose Web access.
There is no patch for the Internet Explorer flaw yet, but disabling Active Scripting would prevent infections from QHost. That would prevent the infecting pop-unders from working, but it could affect the loading of other Web sites as well.
More technical souls can remove the MIME registry key. The key is located at:
Recently, Trojans that exploit vulnerabilities have been precursors of worms. Essentially, someone takes the exploit code and inserts it into a propagation device. But Cooper doesn't think that the vulnerability exploited by QHost is ripe to be made into a worm.
"I can think of a lot of evils things to be done with this, but being used in a worm is not likely," he said.
FOR MORE INFORMATION:
Send your feedback to the SearchSecurity.com news team.