Security Incidents mailing list archives
Re: win95, notepad.exe worm/trojan, note.com
From: Daniel Schrader <dans () ONVOYMAIL COM>
Date: Sat, 9 Sep 2000 22:20:38 -0700
Trend Micro's virus tracking system shows it to be the 9th most common virus/trojan/worm/joke reported over the past 7 days. You can see the tracking system at: http://wtc.trendmicro.com/wtc/ Of course, set it to show infected computers, not infecte files. Dan Schrader ps pity trend doesn't give more info - like the number of scans their data is based on. I tried to get them to post the context info when I worked for them (I left them a month ago) but it never happened. On Saturday, September 09, 2000 5:19 AM, Brad [SMTP:gryphonn () austarnet com au] wrote:
In reply to: Sender: Josh Brandt <jbrandt () WPI EDU> Subject: win95, notepad.exe worm/trojan, note.com Dated: 8 Sep 2000, Time: 15:09 The worm you refer to is known as QAZ (and other names). It was discovered in August(?) of this year and is slowly but surely becoming more widespread. It defaults to port 7597. This first came to my attention on the GRC news server when a couple of people reported Zonealarm warning that 'Notepad' was attempting to 'access the Internet'. Removal is rather simple. Look for this key in your registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\start IE="notepad.exe qazwsx.hsq" Also look for 'note.com', that is your original notepad.exe Rename the 'infected' notepad to notepad.old and then rename note.com back to notepad.exe This worm can also infect shared systems, send IP addresses of its infected boxes to an e-mail address and I believe it can also send itself through Outlook/Express. It is grossly under-rated by most anti-virus vendors as it appears to be spreading quite rapidly. This from Sophos: Name: Troj/Qaz Aliases: W32.HLLW.Qaz.A, W32/QAZ.worm Type: Trojan Date: 29 August 2000 An IDE file that enables Sophos Anti-Virus versions 3.34 to 3.37 to detect this virus is available from the Sophos website. It will be included in Sophos Anti-Virus version 3.38 and later. At the time of writing Sophos has not received any reports of this Trojan horse from our customers, but we are issuing this alert due to media interest caused by alerts from other anti-virus vendors. Description: Troj/Qaz is a backdoor Trojan that has worm characteristics. When the Trojan horse is launched it will search for a copy of NOTEPAD.EXE and rename it to NOTE.COM. The Trojan then copies itself to the computer as NOTEPAD.EXE. Each time NOTEPAD.EXE is executed, the Trojan will run and then launch the untampered version of NOTE.COM to avoid being noticed by the user. The Trojan makes changes to the system registry in order to execute itself every time the system is booted. The Trojan horse allows remote hackers to connect and gain access to the affected computer when it is connected to the internet. Cheers, GryphOur students just got back, and with them came something interesting. We seem to have discovered something new-- at least I haven't been able to find anything about it searching the usual sites. We first became aware of this when the owner of the IP range just above ours contacted us about WPI residence network machines port-scanning him. We duly shut down physical ports and talked to users, and got a machine in to check out. We found some odd things on this system. The first is, notepad.exe was running and showed up in the registry, but not in the task manager. It was run with an odd filename: qazwsx.hsq. This file did not exist on the system. (And running a find for it took _far_ less time than it should have, so I think something else was messed with as well.)*********************************** Bradley.N.Griffin Gryphonn Design Web Design Computer Systems Consultant Security Solutions gryphonn () austarnet com au ABN: 12 095 821 961 ********************************** Help save a starving child. One click is all it takes: http://www.thehungersite.com/
Current thread:
- win95, notepad.exe worm/trojan, note.com Josh Brandt (Sep 08)
- Re: win95, notepad.exe worm/trojan, note.com Brad (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Mike Lewinski (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Jonathan S. Keim (Sep 12)
- <Possible follow-ups>
- Re: win95, notepad.exe worm/trojan, note.com Thomas Dullien (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Josh Brandt (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Daniel Schrader (Sep 12)
- Re: win95, notepad.exe worm/trojan, note.com Brad (Sep 12)