Store Locator: Enter Zip Code: List All Locations

Virus Alert! Notepad backdoor trojan found! (8/22/200)

Question

Virus Alert! W32/QAZ.worm ... (8/22/2000)

Answer

This question was answered on August 25, 2000. Much of the information contained herein may have changed since posting.

Here is one that we actually contracted on several of our own machines!

---------------------------------------------------------------------

Yet another "backdoor" trojan program has been released and is circulating around the Net. It's called the QAZ worm or Trojan Notepad.

It was first discovered in China in July of 2000. It is a companion virus which can spread over a network and also has a backdoor that will allow a remote hacker to connect and control the machine. Since the virus does not have ability to spread to machines outside a local network, the virus may have originally been spammed out by email.

Here are the technical details:

When running, it listens on TCP port 7597 for instructions from a client component.

When this trojan is executed, it modifies the registry with this key value:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunStartIE=C:\WINDOWS\notepad.exe qazwsx.hsq

After the next reboot the worm renames NOTEPAD.EXE in the Windows folder to NOTE.COM and then copies itself to the Windows folder as NOTEPAD.EXE.

When ever the user runs NOTEPAD, the worm is executed and this then runs NOTE.COM.

The worm can use network connections to spread to other machines that allow access to their Windows folders and copies itself as "NOTEPAD.EXE".

One major significance is the real NOTEPAD.EXE is 52Kb while this worm is 120,320 bytes.

The symptoms of this trojan are the existence of "NOTE.COM" and newly created "NOTEPAD.EXE" of 120,320 bytes. Data packet traffic on TCP port 7597.

This trojan will directly install to the local system if run. It modifies the registry to load at next Windows startup.

This trojan is also Network-aware in that it tries to locate systems using NETBios by "browsing" the network for targets with a shared drive, where the Windows folder is available, and NOTEPAD.EXE exists in that folder.

Author

Posted by Ken of Data Doctors on August 25, 2000

Personal Services | Business Services | Radio Show | Free Help Center | Franchising | About Us | Sitemap

Business Network Solutions | Computer Data Recovery | Computer Franchises | Computer Hardware Repair | Computer Help | Computer Network Support | Computer Problems | Computer Repair | Computer Troubleshooting | Data Recovery | Data Recovery Service | Data Recovery Services | Disk Recovery | File Recovery | Wireless Networking Solutions