Security Incidents mailing list archives

Re: notepad.exe backdoor

From: "Grunberg, Jeffrey" <jeff.grunberg () PURCHASE EDU>
Date: Mon, 20 Nov 2000 15:03:56 -0500

Looks like you were infected by the same Trojan horse that was used to break
into Microsoft...It's called the QAZ virus...

Check out http://www.symantec.com/avcenter/venc/data/qaz.trojan.html

 -----Original Message-----
From:   Ron Cohen [mailto:rony () rony clara net]
Sent:   Sunday, November 19, 2000 5:39 AM
To:     INCIDENTS () SECURITYFOCUS COM
Subject:        notepad.exe backdoor

Hi
can't remember seeing that on the list - so here it is:
while trying to insall a game on my kids pc, i noticed a notepad process
running as a hidden window. furtur investigation revealed that:
o upon startup it trys to connect to 202.106.185.107:25;
o listen to about 10 tcp ports from 1024 upward;
o propagates itself via sharing;
o insatll itself in run with the key satrtIE;
o when starting it without any arguments a very similar window to the
   real notepad pops up , except for the microsoft signutures.
o the original notepad is saved as note.com.

drop me a line if you want a copy.

------------------
Ron Cohen

Current thread:

notepad.exe backdoor Ron Cohen (Nov 21)
- <Possible follow-ups>
- Re: notepad.exe backdoor Grunberg, Jeffrey (Nov 22)