Re: Disabling QAZ (was Re: Port 139 scans)

[Roland Dobbins <rdobbins () netmore net>]

Can't you just download a .reg file to the luser and instruct him to
click on it?  Or use one of the well-known SMB/CIFS exploits to make it
execute your code - i.e., the .reg file?

Also, variants I've seen replace NOTEPAD.EXE with a hacked version -
they merely rename the real NOTEPAD.EXE, then substitute a larger one,
for what it's worth.

Ben Browning wrote:
> At 05:02 PM 9/29/00 -0400, Dana Hudes wrote:
> > I am willing to scrap together a script to shutdown the virus on an
> > infected machine and put it in a CGI web page.
>
> Well, that solves the problem until the reboot. After that, the registry
> key opens that puppy right back up.
>
> The trick is to gut it COMPLETELY.
>
> This virus supposedly supports three commands : upload, run and quit. I
> can't get upload to work, and I lost the manpage(ha, ha). It is possible
> to   upload a file (perhaps compiled c?) that rips out the registry entry
> and renames the appropriate files on reboot. In fact, one could (legality
> aside) write up the program to use QAZ as the delivery mechanism for its
> own death. There's something poetic about that...
>
> I have a copy of the worm zipped here- if you'd like it drop me a private
> email.
>
> > I'm not sure about volume but initially I think I can host it. In the
> > event my 1Mbit connection is overwhelmed I'll need another place....
> > What stops me at the moment is that I have no authorization to test
> > against any infected machine.
> > I need a target.
>
> I'd offer mine, but I have it isolated.
>
> > I'm willing to also try for making the connection to the share and
> > removing the infection but I'm not sure I can get it in time.
> > At least a shutdown page would do something.
>
> Half measures merely delay the inevitable- I believe it is best to expunge
> it right off the bat and never have to deal with the recurrences.
>
> > I will start writing my code and await direct e-mail with authorization
> > and a target IP address to test against.
> > Note that I have plenty of potential test targets in my Samba logs :-( but
> > no legal authority to connect to those machines.
>
> My current thought is to simply put up a .reg and .bat file up on the web,
> with instructions on how to use it. Run the .reg to kill the registry key,
> and run the .bat file to rename the files after the reboot. Of course, it
> may be easier to simply have a standard email explaining the virus and the
> removal procedure (my current solution,  if anyone wants a copy of the
> email drop me a line). I will stick with this approach unless the script
> fully removes (as opposed to temporarily disabling) the virus.
>
> Another interesting note- the virus will not allow your computer to reboot
> if someone is connected to the telnet port.
>
> On a side note, if anyone knows a good logfile parsing perl script that
> pulls out all the IP addresses in a log, I'd love a copy. I have one, but
> it is very clunky and I daresay a better perl coder than I has tackled this
> issue. I only ask because this worm has increased the number of other
> peoples(variously formatted) logfiles in my inbox by about 900%.  :)
>
> ---
> Ben Browning <benb () oz net>
> oz.net Network Operations
> Tel (206) 443-8000 Fax (206) 443-0500
> http://www.oz.net/

-- 
------------------------------------------------------------
 Roland Dobbins <rdobbins () netmore net> // 818.535.5024 voice