Trojan.Win32.Qhost.hc

Technical Details

This Trojan is a modified Windows %System%\drivers\etc\hosts file, which is used to translate domain names (DNS) to IP addresses. The modified file is 1861 bytes in size. The file is modified in such a way as to prevent the user from viewing the sites listed below.


The following strings are added to the hosts file:


# Win32.Skowor Ransomware Host H4x0r


127.0.0.1 www.antivir.de
127.0.0.1 www.bitdefender.de
127.0.0.1 www.znet.de
127.0.0.1 www.chip.de
127.0.0.1 www.virustotal.com
127.0.0.1 virusscan.jotti.org
127.0.0.1 www.kaspersky.com
127.0.0.1 www.sophos.de
127.0.0.1 www.trojaner-info.de
127.0.0.1 www.trojaner-help.de
127.0.0.1 www.arcabit.com
127.0.0.1 www.avast.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.bitdefender.com
127.0.0.1 www.clamav.net
127.0.0.1 www.drweb.com
127.0.0.1 www.f-prot.com
127.0.0.1 www.google.de
127.0.0.1 www.fortinet.com
127.0.0.1 www.nod32.com
127.0.0.1 www.norman.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.anti-virus.by/en
127.0.0.1 www.symantec.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.zonelabs.com
127.0.0.1 www.heise.de
127.0.0.1 www.antivirus-online.de
127.0.0.1 www.free-av.com
127.0.0.1 www.panda-software.com
127.0.0.1 www.pc-welt.de
127.0.0.1 www.pc-special.net
127.0.0.1 download.freenet.de
127.0.0.1 www.vollversion.de
127.0.0.1 www.das-download-archiv.de
127.0.0.1 www.freeware.de
127.0.0.1 www.antiviruslab.com
127.0.0.1 www.search.yahoo.com
127.0.0.1 www.web.de
127.0.0.1 www.hotmail.com
127.0.0.1 www.hotmail.de
127.0.0.1 www.gmx.net
127.0.0.1 www.spiegel.de
127.0.0.1 www.icq.com
127.0.0.1 www.icq.de
127.0.0.1 www.flirtlife.de
127.0.0.1 www.ffh.de
127.0.0.1 www.lavasoft.de
127.0.0.1 www.de.wikipedia.org
127.0.0.1 www.wikipedia.org
127.0.0.1 www.en.wikipedia.org
127.0.0.1 www.wissen.de
127.0.0.1 www.virus-aktuell.de
127.0.0.1 www.arcor.de
127.0.0.1 www.t-online.de
127.0.0.1 www.t-com.de
127.0.0.1 www.alice-dsl.de
127.0.0.1 www.freenet.de
127.0.0.1 www.1und1.de
127.0.0.1 www.fbi.gov
127.0.0.1 www.polizei.de


This is the result of the activity of another malicious program.