Trojan.Win32.VkHost.coc – Trojan has a destructive effect on the user’s computer.
Technical details
Trojan has a destructive effect on the user’s computer. The program itself is a Windows (PE EXE-file). Has a size of 418,304 bytes. It is written in Delphi.
Destructive activity
After starting the Trojan overwrites the original file “hosts”:
C: \ WINDOWS \ system32 \ drivers \ etc \ hosts
Writing into this file:
46.37. *** .149 http://Www.vkontakte.ru 46.37. *** .149 Vkontakte.ru 46.37. *** .149 http://Www.vk.com 46.37. *** .149 Vk.com 46.37. ***. 149 durov.ru 46.37. *** .149 http://www.durov.ru 46.37. *** .149 http://www.odnoklassniki.ru 46.37. *** .149 odnoklassniki.ru
resulting in the diversion of calls to the specified URL addresses for a given IP address.
To edit the file “hosts” sets the attributes of the “Hidden”, “System”.
Creates a file:
C: \ WINDOWS \ system32 \ drivers \ etc \ hosts
Where the letter “o” in the file name is the Cyrillic alphabet. In the created file Trojan writes the following contents:
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP / IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a # symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
Removal
If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:
Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).
Restore the original contents of the file:
% Windir% \ system32 \ drivers \ etc \ hosts
which by default is:
# (C) Microsoft Corporation (Microsoft Corp.), 1993-1999 # # This is a sample file HOSTS, used by Microsoft TCP / IP for Windows. # # This file contains the mappings of IP-addresses to host names. Each # entry should be kept on a separate line. IP-address should # be placed in the first column followed by the corresponding name. # IP-address and the host name should be separated by at least one space. # # In addition, some may be inserted # comments (such as these), they must follow the name by a ‘#’ symbol ‘#’. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # client node x 127.0.0.1 localhost
