Security Incidents mailing list archives
win95, notepad.exe worm/trojan, note.com
From: Josh Brandt <jbrandt () WPI EDU>
Date: Fri, 8 Sep 2000 15:09:41 -0400
Our students just got back, and with them came something interesting. We seem to have discovered something new-- at least I haven't been able to find anything about it searching the usual sites. We first became aware of this when the owner of the IP range just above ours contacted us about WPI residence network machines port-scanning him. We duly shut down physical ports and talked to users, and got a machine in to check out. We found some odd things on this system. The first is, notepad.exe was running and showed up in the registry, but not in the task manager. It was run with an odd filename: qazwsx.hsq. This file did not exist on the system. (And running a find for it took _far_ less time than it should have, so I think something else was messed with as well.) The second was, notepad.exe was about twice the size it should have been-- 118k rather than 52k. And there was a mysterious "note.com" in the windows directory that was the actual notepad application. Examining notepad.exe in wordpad (which is what we had handy-- I have a copy of notepad.exe on our unix systems for examination) revealed a lot of interesting things, including a plaintext IP address that pointed to someplace in .cn. So, we fired it up and watched it go with the tools available on Win98. It attempted to open connections to other machines starting at its own IP and counting up. (This was nice, because we got back a handy list of exploited machines on our network). This is why the next people up from us noticed first. It also looked like it was installing itself on anything it could find with insecure shares. I haven't been able to find out anything about this little worm, but I thought I'd point it out. It also appears to report back to the IP embedded in it via email. A couple of addresses were also embedded in it. Frankly, I'm not sure how much of the info from the binary I ought to post here-- I've got what appears to be an email address, the IP, and "hsq." If I should tell more, I will. Josh
Current thread:
- win95, notepad.exe worm/trojan, note.com Josh Brandt (Sep 08)
- Re: win95, notepad.exe worm/trojan, note.com Brad (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Mike Lewinski (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Jonathan S. Keim (Sep 12)
- <Possible follow-ups>
- Re: win95, notepad.exe worm/trojan, note.com Thomas Dullien (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Josh Brandt (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Daniel Schrader (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Brad (Sep 12)