Re: Quenching a QAZ quandary quickly...

[Brad <gryphonn () austarnet com au>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In reply to:
Sender: Robert Washam <rwasham () FNCI COM>
Subject: Quenching a QAZ quandary quickly...
Dated: 22 Sep 2000,
Time: 9:15

> Well, it was fortune that brought Josh Brandt's post of 9/8/00 to my
> door: The very day before, QAZ visited me.  And keeps coming back.
> You feed these viruses and they just want more and more and... Okay,
> so here is the question:  Since I am now the lucky owner of this
> wonderful virus, how is it coming back all the time?
>
>  1. I've replaced NOTEPAD.EXE with Norton's Quarantine/renaming
>  note.com; 2. I've done Reg Search & Replace and there is NO SIGN OF
>  ANY BAD
> notepad.exe OR QAZ in there;

Is there any string in the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run key that begins
with 'StartIE=' ? If so, that will be the culprit (according to the
original form of this trojan). It is possible that the trojan was
renamed.

>  3. The same machine gets hit every five to seven days;

Have you looked for any unusual executables that are in the 118kB
size range? Also (and I don't mean to insult your intelligence), are
you sure this system is not sharing itself with the outside world?

>  4. It is on a private IP network (10.0.0.0) behind a Cisco setup for
>  NAT
> and with my SPECIAL access list to block most things/ports;
>  5. The only other machine running Windows XX is an NT Server that
>  APPEARS
> to be fine.
>
> I suspect Outlook.  But then again, I always suspect Outlook.  Anyone
> know how it might live in Outlook?  I'm checking DOT files for
> template infections, I've searched the infected system for note*.* and
> even *qaz*.* but no luck.

Unless the trojan executable has undergone some major modifications,
it will not be a document template.

> Any help, as always, is appreciated.

I have played with this exe (trojan notepad) a little and it didn't
replace notepad the system (under W98SE). I 'ran' the trojan under a
variety of different scenarios in many different directories and all
it did was create the reg key and run on start-up. It did do the
incremental port 139 scan on hosts across my ISP's subnet. It also
sent off my dynamic IP address to the freemail.yeah.net account.
Removal was a simple case of deleting the registry key and deleting
the executable.
Perhaps it is coming in from somewhere else. The NT box may be one to
check thoroughly.
Cheers,
Brad

> Thanks,
> Robert



-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2 -- QDPGP 2.61a
Comment: http://community.wow.net/grt/qdpgp.html

iQA/AwUBOctiNYgbRJHvXRMDEQKPaQCgjrdmREU6zO8Nw/W9Dd8WDLiFjpMAoIJg
NRmhfv+ZcLVnigg+3diG+5nP
=GW9x
-----END PGP SIGNATURE-----
***********************************
Bradley.N.Griffin
Gryphonn Design
Web Design
Computer Systems Consultant
Security Solutions
gryphonn () austarnet com au
ABN: 12 095 821 961
Ph: 61+7+49222589
**********************************
Help save a starving child.
One click is all it takes:
http://www.thehungersite.com/