ITSS Information Security Services

On this page:
Summary
Technical Details
Countermeasures
References

Summary

Update 6 October 2003: To remove the IE vulnerability that allows the Qhosts exploit to succeed without user intervention, install the MS03-040 patch by using Internet Explorer to visit http://windowsupdate.microsoft.com and install all critical updates.

A newly discovered exploit, called Trojan.Qhosts by Symantec, abuses a vulnerability in Microsoft Internet Explorer to disrupt network operations such as Web browsing and email. If you run Windows and Internet Explorer, and you unexpectedly lose the ability to surf the Web or perform other network actions (file sharing, reading email, etc) as of 2 October 2003, there are two common explanations on Stanford's network:

1. Your machine has not been patched against the vulnerabilities described in MS03-039, and you've been "black-holed" until your machine is up to date. This is an action taken by ITSS in order to protect Stanford's network from the wide variety of Windows attacks we've had in August and September 2003.
   
   Are you black-holed? Click here to search for your machine's IP address

   Cleaning and repairing your black-holed machine

2. Your machine has been compromised by the Qhosts Trojan. To verify this, download the latest Norton/Symantec Anti-Virus signatures and run a full disk scan.

Reports of problems with Windows-based name resolution -- the service that maps a computer's name to its numeric network address -- first surfaced on mailing lists Wednesday 1 October 2003. As explained by Russ Cooper, the moderator of the NTBugtraq mailing list, the disruption is caused by an attack delivered through an as-yet-unpatched vulnerability in Windows Internet Explorer [1]. The original version of the exploit redirected a pop-up ad hosted by FortuneCity.com to a site hosted by Everyone's Internet (EV1.NET). This malicious server takes advantage of the HTML application vulnerability in IE [2], which may allow an attacker to run exploits within the security context of the trusted local system [3,4].

Once Qhosts is installed, it modifies the way the victim machine translates from destination host names to network addresses, either by providing a list of common Internet destinations and counterfeit addresses in a hard-coded hosts file, or by telling the victim machine to use the attacker's server for name resolution rather than the authorized (usually) local machine. The most common signs of a Qhost infection are disrupted Internet service; a change in a victim's name server configuration; and the presence of a number of registry keys detailed in

Symantec's analysis of Trojan.Qhosts

To quickly tell whether or not you've been hit by this exploit, go to the Start --> Run menu button and type command. You'll get a DOS command box, in which you should type ipconfig /all. Look for the "DNS Server" entry. A healthy machine looks something like this:

In particular, almost all machines on the main Stanford campus have DNS servers whose addresses begin with "171.64". If your machine lists any of these addresses for its DNS servers, it's probably been compromised by Qhosts:

64.191.59.85
64.191.95.139
69.57.146.14
69.57.147.175
207.44.194.56
216.127.92.38

Reports from Stanford system administrators and Internet mailing lists suggest that there are at least three different variants of this exploit in circulation.

Norton's Intelligent Update dated 2 October 2003 and later will detect and remove Qhosts. Norton has rated this exploit as low risk, so the Live Update signatures will not include this attack until next Wednesday, 8 October 2003.

Local copy of Norton Intelligent Update for 2 October 2003

Numerous members of Stanford's Expert Partners mailing list report that Norton does not entirely remove Qhosts from an infected system. Once a full scan has detected and removed the infected files, you must manually edit the system registry and the hosts file to change the DNS settings back to their normal values. Here's a step by step guide to making those changes, based on Symantec's manual removal instructions, but with corrections provided by Expert Partners:

1. If you're running Windows ME or Windows XP, disable the System Restore capability so infected files can be completely deleted from your machine.
   
   Disabling System Restore on WinME
   Disabling System Restore on WinXP



2. Update your NAV/SAV definitions using Intelligent Update dated 2 October 2003 or later.
3. Perform a full disk scan to remove all files infected with the Qhosts exploit.
4. Remove the system registry changes created by Qhosts. Note: the Windows registry controls all facets of the operation of your Windows system. Making mistakes while editing the registry can make your system unusable. Proceed with great caution. Consult HelpSU for assistance if you are not comfortable making these changes yourself.

• Go to Start --> Run, and type regedit in the box. Then click OK to bring up the registry editor.
• Navigate to the key:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\MSTCP

• In the right pane, delete the values:

  "EnableDNS"="1"
  "NameServer"="<IP address specified in the batch file>"
  "HostName"="host"
  "Domain"="mydomain.com"

• Navigate to the key:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings and delete the values "ProxyEnable"="0" and "MigrateProxy"="0"

• Navigate to the key:

  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main and delete the values:

  "Use Search Asst"="no"
  "Search Page"="http://www.google.com"
  "Search Bar"="http://www.google.com/ie"

• Navigate to the key:

  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL and delete the values ""="http://www.google.com/keyword/%%s" and "provider"="gogl".

• Navigate to the key:

  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search and delete the value: "SearchAssistant"="http://www.google.com/ie"

• Delete the value "r0x"="your s0x" from two keys, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\Windows and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\Windows

• Modify the value: "DataBasePath"="%SystemRoot%\help" to "DataBasePath"="%SystemRoot%\System32\drivers\etc" in two keys, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters.
  
• In the keys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces, restore the value "NameServer"="<IP address specified in the batch file>" (in many cases, the default configuration has an empty string for this value, but Symantec provides no information on how to tell what it "ought" to be).

5. Remove the changes made by Qhosts to the hosts file(s), if it exists on your computer. The hosts file exists in different places on different versions of the Windows operating system, so the easiest way to find it is to use the OS search function. Once you've found it, open it using Notepad and remove entries containing any of the following computer names:

elite
www.google.akadns.net
www.google.com
google.com
www.altavista.com
altavista.com
search.yahoo.com
uk.search.yahoo.com
ca.search.yahoo.com
jp.search.yahoo.com
au.search.yahoo.com
de.search.yahoo.com
search.yahoo.co.jp
www.lycos.de
www.lycos.ca
www.lycos.jp
www.lycos.co.jp
alltheweb.com
web.ask.com
ask.com
www.ask.com
www.teoma.com
search.aol.com
www.looksmart.com
auto.search.msn.com
search.msn.com
ca.search.msn.com
fr.ca.search.msn.com
search.fr.msn.be
search.fr.msn.ch

Save your changes and exit Notepad. Then reboot your system and you're finished.

[1] IE users attacked via unpatched vulnerability

[2] Bad News: Microsoft Bulletin MS03-032

[3] Unpatched IE Security Holes

[4] Unpatched IE Security Holes (by date) (search for "HTA")

[5] Symantec Security Response: Trojan.Qhosts