-Z- (z@gundam.com)
Sun, 24 Sep 2000 12:12:39 -0700


> -----Original Message-----
> From: owner-gundam@1u.aeug.org [mailto:owner-gundam@1u.aeug.org]On
> Behalf Of KurenaiJiku
> Sent: Saturday, September 23, 2000 14:06
> To: gundam@aeug.org
> Subject: [gundam] virus detected
>
>
> Peeps,
>
> I just found out I had a virus called Worm.Qaz in my system. It seemed
> that it only infected my notepad.exe program...and I did a complete scan on
> different levels several times on my networked systems. No traces of it
> left. Frankly, I don't know how I received it but it didn't seem to do any
> damage to my system other than secretly loading notepad into my memory.
> Check if notepad is secretly loaded through the task menu (alt control
> delete) and if it's there, you most likely have the virus. If it's not
> there, I urge you to scan your system/HD's to make sure you don't have it.

This Trojan horse or worm program is known as W32/QAZ.worm in the McAfee Virus
Information Library (VIL) and W32.HLLW.Qaz.A or Qaz.Trojan in the Symantec
Anti-virus Research Center (SARC) Virus Encylopedia.

It was first discovered in China in July of 2000. It's is a companion virus
that can spread over the network and also has a backdoor that lets a remote
hacker connect to and control the computer via port 7597. Since the virus does
not have the ability to spread to computers outside the network, the virus might
have originally been spammed out by email. As of 14 September 2000, there are
at least four variants of the original virus.

Also known as: Qaz.Trojan, Qaz.Worm, W32.HLLW.Qaz (gen)

Virus Characteristics
This is an Internet worm that also acts as a backdoor. When running, it listens
on TCP port 7597 for instructions from a client component. This worm also
communicates with the IP address 202.106.185.107 which is physically located
somewhere in Asia.

When this trojan is executed, it modifies the registry with this key value:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq

(NOTE: Neither "qaz" nor "qazwsx" has any significance as a name. The letters
Q, A, Z, W, S and X are the first six keys, reading diagonally from top to
bottom, on a standard keyboard.)

After the next reboot the worm renames NOTEPAD.EXE in the Windows folder to
NOTE.COM and then copies itself to the Windows folder as NOTEPAD.EXE.

When ever the user runs NOTEPAD, the worm is executed and this then runs
NOTE.COM.

The worm can use network connections to spread to other machines that allow
access to their Windows folders and copies itself as "NOTEPAD.EXE".

One major significance is the real NOTEPAD.EXE is 52Kb while this worm is
120,320 bytes.

Indications Of Infection
Existence of "NOTE.COM" and newly created "NOTEPAD.EXE" of 120,320 bytes. Data
packet traffic on TCP port 7597.

Method Of Infection
This trojan will directly install to the local system if run. It modifies the
registry to load at next Windows startup.

This trojan is also Network-aware in that it tries to locate systems using
NETBios by "browsing" the network for targets with a shared drive, where the
Windows folder is available, and NOTEPAD.EXE exists in that folder.

Removal
To remove this trojan:
1. Remove the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"StartIE"="C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq"
2. Restart the computer.
3. Scan with anti-virus software and delete all files detected as W32/Qaz.worm,
W32.HLLW.Qaz.A, Qaz.Trojan, Qaz.worm, or W32.HLLW.Qaz (gen). Update virus
definitions if necessary.
4. Search for a file called note.com and rename it to notepad.exe.
5. Scan all other computers on the network to find all other infections and
repeat the above steps if infections are found.
6. Password-protect or unshare word-writable shares to prevent future
infections.

-Z-

-
Gundam Mailing List Archives are available at http://gundam.aeug.org/



This archive was generated by hypermail 2.0b3 on Mon Sep 25 2000 - 04:02:54 JST