The trojan, called Qhost.WU by the Bucharest-based anti-virus provider, infects an affected PC’s storage for domain names and IP address mappings, which is used before domain name servers are considered authoritative.
The infected file then redirects the page2.googlesyndication.com host to IP addresses if other servers so that an end-user could easily be confused by the replacement advertisements.
“This is a serious situation that damages users and webmasters alike,” said BitDefender analyst Attila-Mihaly Balazs. “Users are affected because the advertisements or the linked sites may contain malicious code, which is a very likely situation, given that they are promoted using malware in the first place. Webmasters are affected because the trojan takes away viewers and thus a possible money source from their websites.”
Cyberattackers last month hijacked thousands of Google search terms, leading end users to surprise malware installations. The operation included tens of thousands of pages created specifically to obtain high search-engine ranking.