A recent virus, TrojanDropper:Win32/Vundo.L uses an original way to hijack a website. The usual way to do that, is to put a redirect in a hosts file, located in %SystemRoot%\system32\drivers\etc directory. This virus, however, creates another "hosts" file and replaces "o" by a cyrillic "o", hiding the real one as a system file:

In the new, fake hosts file it puts the contents that you would usually expect to see there (eg: 127.0.0.1 pointed to localhost).

While the real one contains redirects for the hijacked website:

If only this creativity was used in a good way!

Read the full article on TechNet