Re: win95, notepad.exe worm/trojan, note.com

[Brad <gryphonn () austarnet com au>]

In reply to:
Sender: Josh Brandt <jbrandt () WPI EDU>
Subject: win95, notepad.exe worm/trojan, note.com
Dated: 8 Sep 2000,
Time: 15:09

The worm you refer to is known as QAZ (and other names). It was
discovered in August(?) of this year and is slowly but surely
becoming more widespread. It defaults to port 7597. This first came
to my attention on the GRC news server when a couple of people
reported Zonealarm warning that 'Notepad'  was attempting to 'access
the Internet'. Removal is rather simple.

Look for this key in your registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\start
IE="notepad.exe
qazwsx.hsq"

Also look for 'note.com', that is your original notepad.exe
Rename the 'infected' notepad to notepad.old and then rename note.com
back to notepad.exe
This worm can also infect shared systems, send IP addresses of its
infected boxes to an e-mail address and I believe it can also send
itself through Outlook/Express. It is grossly under-rated by most
anti-virus vendors as it appears to be spreading quite rapidly.


This from Sophos:

Name: Troj/Qaz
Aliases: W32.HLLW.Qaz.A, W32/QAZ.worm
Type: Trojan
Date: 29 August 2000

An IDE file that enables Sophos Anti-Virus versions 3.34 to 3.37
to detect this virus is available from the Sophos website.

It will be included in Sophos Anti-Virus version 3.38 and later.

At the time of writing Sophos has not received any reports of
this Trojan horse from our customers, but we are issuing this
alert due to media interest caused by alerts from other
anti-virus vendors.

Description:

Troj/Qaz is a backdoor Trojan that has worm characteristics.

When the Trojan horse is launched it will search for a copy of
NOTEPAD.EXE and rename it to NOTE.COM. The Trojan then copies
itself to the computer as NOTEPAD.EXE.

Each time NOTEPAD.EXE is executed, the Trojan will run and then
launch the untampered version of NOTE.COM to avoid being noticed
by the user.

The Trojan makes changes to the system registry in order to
execute itself every time the system is booted.

The Trojan horse allows remote hackers to connect and gain
access to the affected computer when it is connected to the
internet.

Cheers,
Gryph

> Our students just got back, and with them came something interesting.
>
> We seem to have discovered something new-- at least I haven't been
> able to find anything about it searching the usual sites.
>
> We first became aware of this when the owner of the IP range just
> above ours contacted us about WPI residence network machines
> port-scanning him. We duly shut down physical ports and talked to
> users, and got a machine in to check out.
>
> We found some odd things on this system.
>
> The first is, notepad.exe was running and showed up in the registry,
> but not in the task manager. It was run with an odd filename:
> qazwsx.hsq. This file did not exist on the system. (And running a find
> for it took _far_ less time than it should have, so I think something
> else was messed with as well.)



***********************************
Bradley.N.Griffin
Gryphonn Design
Web Design
Computer Systems Consultant
Security Solutions
gryphonn () austarnet com au
ABN: 12 095 821 961
**********************************
Help save a starving child.
One click is all it takes:
http://www.thehungersite.com/