Checking Windows Hosts File For Virus Entries
This week we reviewed a particularly clever type of virus spreading via Facebook which uses advanced social engineering. Like many viruses it adds malicious entries to the Windows Hosts file to prevent internet access to certain websites (e.g. antivirus companies) and redirect your legitimate website requests to virus infected sites or fake copies of genuine websites.
We have written before in more detail about how viruses hijack the Windows Hosts file and it is usually easy to spot – just open up the Hosts file in Notepad and you can quickly see extra entries that the virus has added.
However, this virus is even more sneaky – it does add extra entries but only after first adding thousands of lines of blank space… Here is an example hosts file:
At a quick glance all looks fine – the ‘#’ lines of text are just standard Microsoft comments and there appear to be no extra malicious entries.
However, looking more closely at the right hand side of Notepad reveals the presence of a tiny scroll bar – scrolling on down past thousands of blank lines eventually reveals the ‘hidden’ entries starting at line 9044 that the virus has added – near the end of the massively extended Hosts file as shown below:
Tip: Notepad does not show line numbers by default – select View from the menu bar then select Status Bar to show line numbers.
In this example the first 4 lines redirect internet requests to those antivirus company websites back to your own computer i.e. they block you from being able to browse to, or update from, those websites. The fifth line redirects your internet requests to Paypal to a duplicate (but fake) website set up to steal your login details (obviously we have used xyz rather than an actual scam site).
When checking the Hosts file for suspicious entries, remember to check for a scroll bar and blank lines in case the entries are squirrelled away somewhere well down the file. You can fix malicious entries by deleting them (and all the unwanted blank lines), saving the Hosts file and closing Notepad.
If You Can’t Save The Hosts File
The virus may have made the hosts file read only and/or changed the permissions of the file to stop you changing and saving it.
To fix this, close the hosts file then click here to download the Hosts Permissions batch file from Bleeping Computer. Once downloaded, double click the hosts-perm.bat file you just downloaded to run it – it will then change the permissions of your hosts file to allow you to edit and save it.
Now open your hosts file in Notepad again, delete all the unwanted lines and entries, save the Hosts file and close Notepad.