KurenaiJiku (kurenaijiku@tech-base.com)
Sun, 24 Sep 2000 12:32:36 -0700

Thanks Z. I was looking for that info.

>> -----Original Message-----
>> From: owner-gundam@1u.aeug.org [mailto:owner-gundam@1u.aeug.org]On
>> Behalf Of KurenaiJiku
>> Sent: Saturday, September 23, 2000 14:06
>> To: gundam@aeug.org
>> Subject: [gundam] virus detected
>> Peeps,
>> I just found out I had a virus called Worm.Qaz in my system. It seemed
>> that it only infected my notepad.exe program...and I did a complete scan on
>> different levels several times on my networked systems. No traces of it
>> left. Frankly, I don't know how I received it but it didn't seem to do any
>> damage to my system other than secretly loading notepad into my memory.
>> Check if notepad is secretly loaded through the task menu (alt control
>> delete) and if it's there, you most likely have the virus. If it's not
>> there, I urge you to scan your system/HD's to make sure you don't have it.
>This Trojan horse or worm program is known as W32/QAZ.worm in the McAfee
>Information Library (VIL) and W32.HLLW.Qaz.A or Qaz.Trojan in the Symantec
>Anti-virus Research Center (SARC) Virus Encylopedia.
>It was first discovered in China in July of 2000. It's is a companion virus
>that can spread over the network and also has a backdoor that lets a remote
>hacker connect to and control the computer via port 7597. Since the virus
>not have the ability to spread to computers outside the network, the virus
>have originally been spammed out by email. As of 14 September 2000, there
>at least four variants of the original virus.
>Also known as: Qaz.Trojan, Qaz.Worm, W32.HLLW.Qaz (gen)
>Virus Characteristics
>This is an Internet worm that also acts as a backdoor. When running, it
>on TCP port 7597 for instructions from a client component. This worm also
>communicates with the IP address which is physically located
>somewhere in Asia.
>When this trojan is executed, it modifies the registry with this key value:
>StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq
>(NOTE: Neither "qaz" nor "qazwsx" has any significance as a name. The
>Q, A, Z, W, S and X are the first six keys, reading diagonally from top to
>bottom, on a standard keyboard.)
>After the next reboot the worm renames NOTEPAD.EXE in the Windows folder to
>NOTE.COM and then copies itself to the Windows folder as NOTEPAD.EXE.
>When ever the user runs NOTEPAD, the worm is executed and this then runs
>The worm can use network connections to spread to other machines that allow
>access to their Windows folders and copies itself as "NOTEPAD.EXE".
>One major significance is the real NOTEPAD.EXE is 52Kb while this worm is
>120,320 bytes.
>Indications Of Infection
>Existence of "NOTE.COM" and newly created "NOTEPAD.EXE" of 120,320 bytes.
>packet traffic on TCP port 7597.
>Method Of Infection
>This trojan will directly install to the local system if run. It modifies the
>registry to load at next Windows startup.
>This trojan is also Network-aware in that it tries to locate systems using
>NETBios by "browsing" the network for targets with a shared drive, where the

>Windows folder is available, and NOTEPAD.EXE exists in that folder.
>To remove this trojan:
>1. Remove the following registry key:
>"StartIE"="C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq"
>2. Restart the computer.
>3. Scan with anti-virus software and delete all files detected as
>W32.HLLW.Qaz.A, Qaz.Trojan, Qaz.worm, or W32.HLLW.Qaz (gen). Update virus
>definitions if necessary.
>4. Search for a file called note.com and rename it to notepad.exe.
>5. Scan all other computers on the network to find all other infections and
>repeat the above steps if infections are found.
>6. Password-protect or unshare word-writable shares to prevent future
>Gundam Mailing List Archives are available at http://gundam.aeug.org/

Gundam Mailing List Archives are available at http://gundam.aeug.org/

This archive was generated by hypermail 2.0b3 on Mon Sep 25 2000 - 04:24:22 JST