Thursday, October 02, 2003

Trojan.QHOSTS / QHOSTS-1

This new trojan/worm is spreading around fairly quickly - I just had to clean it off of my box here at work.

There is NO PATCH - and as of right now, nobodies' Anti-Virus software detects it.

If you use Microsoft Internet Explorer (MSIE), the only way to protect yourself (at this time) is to disable active scripting in Microsoft Internet Explorer. The way to do this is to right click on the MSIE icon on the desktop (big blue e) and then:

click Tools - Internet Options
click Security - Custom Level - Scroll down almost to the bottom to find Active Scripting, and select DISABLE.
click OK to exit and save, then OK again. When it asks you if you are sure you want to make this change, say YES.

This will protect you from this new trojan/worm, but it may also prevent certain websites from working correctly. Hopefully Microsoft will put out a patch soon.

Oh yeah, the Microsoft Update website requires Active Scripting. How nice is that? When a patch comes out, you have to re-enable it just like you disabled it. Then hopefully once you apply the MS patch we won't have to keep it disabled.


Norton AntiVirus claims 10/8 for LiveUpdate to detect it, so unless you are using the most recent version which has IntelligentUpdating (not LiveUpdate) you will have to wait.

McAfee may have the dat file sooner - don't know yet.


A quick way to tell if you are infected is to check the c:/winnt/help folder, if there is a 'hosts' file, you are infected. Check below for more information.

If you aren't comfortable with this removal method, you will need to call someone to help you.


Norton AntiVirus

for a very good write-up with manual removal instructions


McAfee AntiVirus

for another write-up with some more details, and a slightly different manual removal process (the Norton one is more thorough).