Glike NOT

less than 1 minute read

This is an interesting sample, caught by our honeypots.

The file comes as a zip archive from qtpom{removed}.tripod.com/codec.zip, which once extracted looks like this:

It is almost undetected. Virus Total report here.
Truth be told, no blatant sign of malware activity is noticed at first until this:

What the heck? This is not my Google home page. And what are those tabs up there: “Pharmacy”, “Casino”?
The malware modifies the Windows hosts file to redirect popular sites to glike.net (IP: 92.241.164.9, Russian Federation).
If you are a victim of a homepage hijack or other redirections, it’s always worth it to try to look at your Hosts file located under C:\windows\system32\drivers\etc\hosts
Then, you can remove the offending entries manually and save the file. This may be a temporary relief but not a definite solution if malware is still active on your PC.

Leave a comment