Malware Trojan.Win32.VkHost.coc

Posted: September 1, 2012 in Encyclopedia viruses
Tags: , , ,

Virus AlertTrojan.Win32.VkHost.coc – Trojan has a destructive effect on the user’s computer.

Technical details

Trojan has a destructive effect on the user’s computer. The program itself is a Windows (PE EXE-file). Has a size of 418,304 bytes. It is written in Delphi.

Destructive activity

After starting the Trojan overwrites the original file “hosts”:

C: \ WINDOWS \ system32 \ drivers \ etc \ hosts

Writing into this file:

46.37. *** .149 http://Www.vkontakte.ru 46.37. *** .149 Vkontakte.ru 46.37. *** .149 http://Www.vk.com 46.37. *** .149 Vk.com 46.37. ***. 149 durov.ru 46.37. *** .149 http://www.durov.ru 46.37. *** .149 http://www.odnoklassniki.ru 46.37. *** .149 odnoklassniki.ru

resulting in the diversion of calls to the specified URL addresses for a given IP address.

To edit the file “hosts” sets the attributes of the “Hidden”, “System”.

Creates a file:

C: \ WINDOWS \ system32 \ drivers \ etc \ hosts

Where the letter “o” in the file name is the Cyrillic alphabet. In the created file Trojan writes the following contents:

# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP / IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a # symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost

Removal

If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:

Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).
Restore the original contents of the file:

% Windir% \ system32 \ drivers \ etc \ hosts

which by default is:

# (C) Microsoft Corporation (Microsoft Corp.), 1993-1999 # # This is a sample file HOSTS, used by Microsoft TCP / IP for Windows. # # This file contains the mappings of IP-addresses to host names. Each # entry should be kept on a separate line. IP-address should # be placed in the first column followed by the corresponding name. # IP-address and the host name should be separated by at least one space. # # In addition, some may be inserted # comments (such as these), they must follow the name by a ‘#’ symbol ‘#’. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # client node x 127.0.0.1 localhost

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s