HostMod-A removal?, HostMod-A removal?

Check for the QHost.WD Trojan (courtesy of Linc Davis):

In the Finder, select Go > "Go to Folder..." from the menu bar. Enter "/etc" (without the quotes) in the window that opens, and press return. A Finder window opens. Locate the file named "hosts" and double-click it. It should open in the TextEdit application. You should see this in the TextEdit window:

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

If you see anything else, post the entire contents of the window -- the text, please, not a screenshot.

foxone12 wrote:

Mad Mac, I did as you suggested. Got to 'hosts,' but when I double clicked I received the message: You do not have permission.

If you want to examine the file to make certain of what it is try the following:

• Highlight the hosts file.
• Select "Get Info" from the Finder's "File" menu or type Command-I.
• At the bottom of the window in the Sharing & permissions section, click on the lock icon.
• Enter your admin Name and Password in the dialog box.
• There should be an entry for "everyone" and a popup menu next to it will allow you to change it to Read only.
• Close the Get Info window and you should be able to examine the file.

I'll next post instructions on how to fix it.

By far the easiest way to fix the hosts file is to restore it from a Time Machine (or other) backup that predates the installation of the trojan. If that's not possible, then do the following.

Some of what follows is redundant to what I've already said, but I'm repeating it here for completeness.

Double-click the file named "hosts" in that folder. It should open in TextEdit. At the top of the file, you should see something like this:

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

Below that, you'll see some other lines. Delete everything below the last line shown above. Don't try to save; you won't be able to. Instead, select "Save As..." from the file menu in TextEdit. In the Save dialog, deselect the option to add a ".txt" extension to the file name, if it's selected. Save the file to your Desktop. You should now have a file named exactly "hosts" with no extension on your Desktop, having the contents shown above.

Now comes the part that usually scares people. Launch the Terminal application, copy or drag -- do not type -- the line of text below into the window, and press return:

sudo sh -c ' cat Desktop/hosts > /etc/hosts '

You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. Don't panic when you see that warning. Quit Terminal.

Do not type anything into the Terminal window except your password.

You should also look around for the installer that caused this situation so you won't be tempted to reinstall it. The sample I have is named "FlashPlayer.pkg.zip" but your's may be unzipped already. It would normally be found in your download folder. If you see anything in that folder you don't recognize or need to keep, it would be best to delete them.

Let's see if we can confirm that you are actually infected.

Launch the Network Utility application by entering the first few letters of its name in a Spotlight search. Select the "Lookup" tab and enter "www.google.com" (without the quotes) in the address field. Press return. Post the output -- the text, please, not a screenshot. Then select the "Ping" tab and do the same.

Sorry, but I desperately needed some sleep.

I've been discussing your situation with a collegue and I think we have an idea of what's going on.

The results indicate that you are not infected by the what I know as Trojan:BASH/QHost.WB and which Sophos calls Troj/QHost-CU and was probably the installation package I had you look for that modifies the hosts file.

As far as I know the Trojan no longer exists in the wild, so you would have had to have downloaded it last July/August. c|net published this article on what it did. If you never saw this behavior, then chances are you never had the Trojan on your computer. If you recently are having problems reaching other sites, it could be something new. Also, was this the first time running Sophos and if not when was the last time.

Around the same time Sophos posted a description of OSX/HostMod-A which describes it as an application. Then on this page they tell us that it "Detects a ‘hosts’ file that has been tampered with" which tells me it's just designed to warn you that you need to fix your hosts file. So I'm confused as to whether this is a different Trojan application or just a warning to fix your hosts file. Do you remember the exact words that Sophos used?

I'd like to try one more time to ready the hosts file...

Launch the Terminal app (found in Applicaitions/Utilities), copy and paste the following after the "$ " prompt:

sudo cat /etc/hosts

followed by the return key.

You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. Don't panic when you see that warning.

Copy and paste the results (if any) here:

foxone12 wrote:

When I open Terminal, there is no $ prompt. However I pasted sudo cat /etc/hosts anyway. Nothing happened. There was no request to sign in, as there had been in the past.

What kind of prompt was it? Is the title of the Terminal window "Terminal -- bash -- 80 x 24"?

If no prompt at all try opening a new window Shell->New Window->Basic or Command-N

If the prompt is a "% " and the window title includes csh or tcsh it should still work.

foxone12 wrote:

Here's what Sophos Anti-Virus had to say:

'Virus/Spyware' OSX/HostMod-A has been detected and listed in Quarantine Manager.

(This pops up more or less continually. If I close it, the warning comes back almost immediately, whether I'm online or offline.)

When I open the Quarantine Manager, I'm told:

Threat: OSX/HostMod-A

Date: Jun 22, 2012 21:45 and Jun 24, 2012 8:57

Path and Filename: /private/etc/hosts

Action Available: The threat cannot be cleaned up. Please click the threat name above for manual instructions.

And of course the manual instructions are not there. If you looked at the F-Secure article, at least they give you instructions, but you almost have to be a Unix expert to follow them.

I've had Sophos running on my setup for the last couple of hours having modified my hosts file to look like the examples shown and have not been able to get a detection. I was able to verify that google.com url's were redirected to a p*** site, so I know I have the correct IP addresses entered in the hosts file. So I'm still at a total loss as to what Sophos is looking for and now that you tell me your getting continuous popups, I'm even more confused. Perhaps it has something to do with not being able to access the file and the permissions repair error you got (which I also have never seen before).

I'm reasonably certain that a correct hosts file must be installed, so even if we are successful in deleting it, a replacement will have to be provided.

Have you tried contacting Sophos Tech Support to at least find out what it's looking for?

foxone12 wrote:

'Virus/Spyware' OSX/HostMod-A has been detected and listed in Quarantine Manager.

(This pops up more or less continually. If I close it, the warning comes back almost immediately, whether I'm online or offline.)

I had a thought about this. If you go to the Quarantine Manager, can you click on the Filename and use the "Clear from List" button to stop the continuous pop-ups? You will need to click on the lock and enter your admin password to make the button active.

Went to Terminal and brought up a couple of new windows. New Window - basic, etc. Neither offered a prompt.

That's very odd. Probably something that deserves a topic of its own, and that may be indicative of greater problems with your system.

However, here's an alternate solution for seeing what's in the hosts file. Get a copy of TextWrangler, open it and choose File -> Open File by Name. In what looks like a search field, type "/etc/hosts" (minus the quotes) and press return. This should open the hosts file in TextWrangler, which will authenticate to open the file if necessary. Make sure the contents match what MadMacs0 posted earlier.

Of course, the hosts file should be readable by everyone. If yours isn't, that's definitely a problem. But I'm not an expert at troubleshooting issues like this and the missing Terminal prompt. I'll see if I can get someone else who is to take a look here.