Virus Characteristics
Update October 27, 2000:
In recent news, it has been noted that a large corporation recently experienced an attack by this Trojan and Internet worm. It should also be noted that W32/QAZ can give access to the host system which will allow a hacker or group of hackers to install other malware programs if desired. It is this feature that was exploited at the large corporation It was also speculated that this worm had been received over e-mail; this is unlikely, QAZ spreads only over open network shares.ss
This is an Internet worm that also acts as a backdoor. When running, it listens on TCP port 7597 for instructions from a client component. This worm also communicates with the IP address 202.106.185.107 which is physically located somewhere in China. The backdoor allows the remote user only to upload and run any program, which is enough to install a more complex backdoor or password-stealing program.ss
This worm browses the network connections to spread to other machines that allow passwordless write access to their Windows folders over NetBIOS, and copies itself as "NOTEPAD.EXE" and renames the existing NOTEPAD.EXE to NOTE.COM.ss
After the newly infected computer tries to run NOTEPAD, the worm modifies the registry to include this key value:ss
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
StartIE=C:WINDOWS
otepad.exe qazwsx.hsqss
When ever the user runs NOTEPAD, the worm is executed and this then runs NOTE.COM.ss
One major significance is the real NOTEPAD.EXE is 52Kb while this worm is 120,320 bytes.ss
Indications Of Infection
Existence of "NOTE.COM" and newly created "NOTEPAD.EXE" of 120,320 bytes. Data packet traffic on TCP port 7597.ss
Method Of Infection
This trojan will directly install to the local system if run. It modifies the registry to load at next Windows startup.ss
This trojan is also Network-aware in that it tries to locate systems using NETBios by "browsing" the network for targets with a shared drive, where the Windows folder is available, and NOTEPAD.EXE exists in that folder.ss
Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.
PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as:ss
SCANPM C: /CLEAN /ALL
AVERT Recommended Updates:
* Office2000 Updates
* scriptlet.typelib/Eyedog vulnerability patchss
* Malformed E-mail MIME Header vulnerability patch
* Outlook as an email attachment security update
* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield
For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.ss
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.ss
It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
Virus Information
Discovery Date: 8/7/00ss
Origin: Asia Regionss
Length: 120,320 bytesss
Type: Trojanss
SubType: Internet Wormss
Risk Assessment: Mediumss
Aliases
I-Worm.QAZ, note.com, Qaz.Trojan, QAZ.worm, TROJ_QAZ.A, Trojan/Notepad, W32.HLLW.Qaz.Ass
ps->change d'antivirus