Security Incidents mailing list archives
Re: notepad.exe backdoor
From: "Grunberg, Jeffrey" <jeff.grunberg () PURCHASE EDU>
Date: Mon, 20 Nov 2000 15:03:56 -0500
Looks like you were infected by the same Trojan horse that was used to break into Microsoft...It's called the QAZ virus... Check out http://www.symantec.com/avcenter/venc/data/qaz.trojan.html -----Original Message----- From: Ron Cohen [mailto:rony () rony clara net] Sent: Sunday, November 19, 2000 5:39 AM To: INCIDENTS () SECURITYFOCUS COM Subject: notepad.exe backdoor Hi can't remember seeing that on the list - so here it is: while trying to insall a game on my kids pc, i noticed a notepad process running as a hidden window. furtur investigation revealed that: o upon startup it trys to connect to 202.106.185.107:25; o listen to about 10 tcp ports from 1024 upward; o propagates itself via sharing; o insatll itself in run with the key satrtIE; o when starting it without any arguments a very similar window to the real notepad pops up , except for the microsoft signutures. o the original notepad is saved as note.com. drop me a line if you want a copy. ------------------ Ron Cohen
Current thread:
- notepad.exe backdoor Ron Cohen (Nov 21)
- <Possible follow-ups>
- Re: notepad.exe backdoor Grunberg, Jeffrey (Nov 22)