Security Incidents mailing list archives
Re: Quenching a QAZ quandary quickly...
From: Brad <gryphonn () austarnet com au>
Date: Sat, 23 Sep 2000 09:44:21 +1000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In reply to: Sender: Robert Washam <rwasham () FNCI COM> Subject: Quenching a QAZ quandary quickly... Dated: 22 Sep 2000, Time: 9:15
Well, it was fortune that brought Josh Brandt's post of 9/8/00 to my door: The very day before, QAZ visited me. And keeps coming back. You feed these viruses and they just want more and more and... Okay, so here is the question: Since I am now the lucky owner of this wonderful virus, how is it coming back all the time? 1. I've replaced NOTEPAD.EXE with Norton's Quarantine/renaming note.com; 2. I've done Reg Search & Replace and there is NO SIGN OF ANY BAD notepad.exe OR QAZ in there;
Is there any string in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key that begins with 'StartIE=' ? If so, that will be the culprit (according to the original form of this trojan). It is possible that the trojan was renamed.
3. The same machine gets hit every five to seven days;
Have you looked for any unusual executables that are in the 118kB size range? Also (and I don't mean to insult your intelligence), are you sure this system is not sharing itself with the outside world?
4. It is on a private IP network (10.0.0.0) behind a Cisco setup for NAT and with my SPECIAL access list to block most things/ports; 5. The only other machine running Windows XX is an NT Server that APPEARS to be fine. I suspect Outlook. But then again, I always suspect Outlook. Anyone know how it might live in Outlook? I'm checking DOT files for template infections, I've searched the infected system for note*.* and even *qaz*.* but no luck.
Unless the trojan executable has undergone some major modifications, it will not be a document template.
Any help, as always, is appreciated.
I have played with this exe (trojan notepad) a little and it didn't replace notepad the system (under W98SE). I 'ran' the trojan under a variety of different scenarios in many different directories and all it did was create the reg key and run on start-up. It did do the incremental port 139 scan on hosts across my ISP's subnet. It also sent off my dynamic IP address to the freemail.yeah.net account. Removal was a simple case of deleting the registry key and deleting the executable. Perhaps it is coming in from somewhere else. The NT box may be one to check thoroughly. Cheers, Brad
Thanks, Robert
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 -- QDPGP 2.61a Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBOctiNYgbRJHvXRMDEQKPaQCgjrdmREU6zO8Nw/W9Dd8WDLiFjpMAoIJg NRmhfv+ZcLVnigg+3diG+5nP =GW9x -----END PGP SIGNATURE----- *********************************** Bradley.N.Griffin Gryphonn Design Web Design Computer Systems Consultant Security Solutions gryphonn () austarnet com au ABN: 12 095 821 961 Ph: 61+7+49222589 ********************************** Help save a starving child. One click is all it takes: http://www.thehungersite.com/
Current thread:
- Quenching a QAZ quandary quickly... Robert Washam (Sep 22)
- Re: Quenching a QAZ quandary quickly... Brad (Sep 24)