Virus Profile: W32/QAZ.worm

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	8/7/2000
Date Added:	8/10/2000
Origin:	Asia Region
Length:	120,320 bytes
Type:	Trojan
Subtype:	Internet Worm
DAT Required:	4091
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Existence of "NOTE.COM" and newly created "NOTEPAD.EXE" of 120,320 bytes. Data packet traffic on TCP port 7597.

Methods of Infection

This trojan will directly install to the local system if run. It modifies the registry to load at next Windows startup.

This trojan is also Network-aware in that it tries to locate systems using NETBios by "browsing" the network for targets with a shared drive, where the Windows folder is available, and NOTEPAD.EXE exists in that folder.

Aliases

I-Worm.QAZ, note.com, Qaz.Trojan, QAZ.worm, TROJ_QAZ.A, Trojan/Notepad, W32.HLLW.Qaz.A

View Virus Characteristics

Virus Characteristics

Update October 27, 2000:
In recent news, it has been noted that a large corporation recently experienced an attack by this Trojan and Internet worm. It should also be noted that W32/QAZ can give access to the host system which will allow a hacker or group of hackers to install other malware programs if desired. It is this feature that was exploited at the large corporation It was also speculated that this worm had been received over e-mail; this is unlikely, QAZ spreads only over open network shares.

This is an Internet worm that also acts as a backdoor. When running, it listens on TCP port 7597 for instructions from a client component. This worm also communicates with the IP address 202.106.185.107 which is physically located somewhere in China. The backdoor allows the remote user only to upload and run any program, which is enough to install a more complex backdoor or password-stealing program.

This worm browses the network connections to spread to other machines that allow passwordless write access to their Windows folders over NetBIOS, and copies itself as "NOTEPAD.EXE" and renames the existing NOTEPAD.EXE to NOTE.COM.

After the newly infected computer tries to run NOTEPAD, the worm modifies the registry to include this key value:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq

When ever the user runs NOTEPAD, the worm is executed and this then runs NOTE.COM.

One major significance is the real NOTEPAD.EXE is 52Kb while this worm is 120,320 bytes.

Back To Overview View Removal Instructions

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.