Security Incidents mailing list archives
Re: Notepad - Worm
From: Mike Lewinski <mike () ROCKYNET COM>
Date: Mon, 25 Sep 2000 14:25:25 -0600
Name: Troj/Qaz Aliases: W32.HLLW.Qaz.A, W32/QAZ.worm Type: Trojan Date: 29 August 2000 I think about 90% of all attempts to access smb on my site are originated by this worm. The standard listening port is 7597 Does anybody knows the standard password or a URL to get the source ?
Well, now I've found something.... $ nc <qaz_infected_ip) 7597 :qazwsx.hsq
run dir exit
The prompt is a single colon : Entering anything other than "qazwsx.hsq" at the : will close the connection. Also this only seems to work with netcat. When I tried telnet it didn't even accept my exit command (but it did take the qazwsx.hsq and give me a > prompt). It does seem to allow for the remote client to run commands, as when I tried "run dir" it paused for a few seconds, then returned me to a prompt (without displaying the output). To test that theory I started up a packet sniffer and did a 'run ping <my_ip>' and sure enough, the command was run on the remote machine. Mike
Current thread:
- Notepad - Worm Matthias Krawen (Sep 25)
- Re: Notepad - Worm Mike Lewinski (Sep 25)