Virus Alert! Notepad backdoor trojan found! (8/22/200)

Question

Virus Alert! W32/QAZ.worm ... (8/22/2000)

Answer

This question was answered on August 25, 2000. Much of the information contained herein may have changed since posting.

Here is one that we actually contracted on several of our own machines!

---------------------------------------------------------------------

Yet another "backdoor" trojan program has been released and is circulating around the Net It's called the QAZ worm or Trojan Notepad.

It was first discovered in China in July of 2000 It is a companion virus which can spread over a network and also has a backdoor that will allow a remote hacker to connect and control the machine Since the virus does not have ability to spread to machines outside a local network, the virus may have originally been spammed out by email.

Here are the technical details:

When running, it listens on TCP port 7597 for instructions from a client component

When this trojan is executed, it modifies the registry with this key value:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunStartIE=C:\WINDOWS\notepad.exe qazwsx.hsq

After the next reboot the worm renames NOTEPAD.EXE in the Windows folder to NOTE.COM and then copies itself to the Windows folder as NOTEPAD.EXE

When ever the user runs NOTEPAD, the worm is executed and this then runs NOTE.COM

The worm can use network connections to spread to other machines that allow access to their Windows folders and copies itself as "NOTEPAD.EXE"

One major significance is the real NOTEPAD.EXE is 52Kb while this worm is 120,320 bytes

The symptoms of this trojan are the existence of "NOTE.COM" and newly created "NOTEPAD.EXE" of 120,320 bytes Data packet traffic on TCP port 7597

This trojan will directly install to the local system if run It modifies the registry to load at next Windows startup

This trojan is also Network-aware in that it tries to locate systems using NETBios by "browsing" the network for targets with a shared drive, where the Windows folder is available, and NOTEPAD.EXE exists in that folder.

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on August 25, 2000