OT - MS got hammered, so could you - long
Thread Starter
|
Banned
Joined: Oct 2000
Posts: 570
Likes: 0
From: Florida
OT - MS got hammered, so could you - long
I got the following info from the guys at work that deal with computer virus issues. This is the virus the hackers got to MS with. After I read this I checked my home computer and guess what I found. Lucky for me my anti virus caught this and didn't allow it to install. It got as far as the rename of notepad but it never could install because the anti virus software would halt the process. I'm not suggesting that any of you have this virus or that you need to do anything about it. I'm not providing support of any kind on this and won't make any recommendations of any kind but I thought this might be worth your time to read.
> >
> > NAME: <http://www.datafellows.com/v-descs/info/name.htm> Qaz
> > ALIAS: <http://www.datafellows.com/v-descs/info/alias.htm> Worm.Qaz
> >
> > This is network worm with backdoor capabilities, which spreads itself
> under
> > Win32 systems. The worm was reported in-the-wild in July-August, 2000.
The
> > worm itself is Win32 executable file and about 120K long, written in MS
> > Visual C++.
> > When an infected file is executed, the worm registers itself in Windows
> > registry in auto-start section:
> > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> > startIE = "filename qazwsx.hsq"
> > where "filename" is the name of worm's file (usually this is
> "Notepad.exe",
> > see below). As a result, the worm will be activated each time Windows
> starts
> > up.
> > The worm then stays in the system memory as an application (visible in
the
> > task list) and runs two processes: its spreading process and backdoor
> > process.
> > The spreading process spreads the worm copy through the local network to
> > drives that are shared for reading/writing. The worm enumerates network
> > resources and looks for "WIN" string in their names. If such a string is
> > found from the name (i.e. Windows directory on a remote computer), the
> worm
> > looks for NOTEPAD.EXE in there, renames it with a new name NOTE.COM and
> > writes its copy with the name NOTEPAD.EXE.
> > As a result the original NOTEPAD.EXE can be found with NOTE.COM name on
> the
> > affected computer (it is used by the worm to run original Notepad when
the
> > worm completes its routines), and the worm code is present in
NOTEPAD.EXE
> > file. The worm will be activated when a user runs Notepad on the
affected
> > machine.
> > The backdoor routine is quite simple. It supports just a few commands:
Run
> > (to run specified file), Upload (to create a file on affected machine)
and
> > Quit (terminate the worm routines). There are just three commands, but
> that
> > is enough to install any other (more powerful) trojan/virus to the
> computer.
> >
> > The worm also sends a notification to its "host" (worm's author?). This
> > e-mail message is sent to some address in China. The message contains
the
> IP
> > address(es) of infected machine.
> > Before disinfection, please download and run the special REG file that
> will
> > remove worm's registry entry from the system:
> > ftp://ftp.europe.F-Secure.com/anti-virus/tools/qazdisin.reg
> > <ftp://ftp.europe.F-Secure.com/anti-virus/tools/qazdisin.reg>
> > Then restart the system and perform disinfection from either DOS or
> Windows.
> > Finally, rename NOTE.COM file back to NOTEPAD.EXE to have Notepad
> available
> > again.
------------------
Rick
Email: ******@tampabay.rr.com
My Mods & More
[This message has been edited by ****** (edited 10-27-2000).]
> >
> > NAME: <http://www.datafellows.com/v-descs/info/name.htm> Qaz
> > ALIAS: <http://www.datafellows.com/v-descs/info/alias.htm> Worm.Qaz
> >
> > This is network worm with backdoor capabilities, which spreads itself
> under
> > Win32 systems. The worm was reported in-the-wild in July-August, 2000.
The
> > worm itself is Win32 executable file and about 120K long, written in MS
> > Visual C++.
> > When an infected file is executed, the worm registers itself in Windows
> > registry in auto-start section:
> > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> > startIE = "filename qazwsx.hsq"
> > where "filename" is the name of worm's file (usually this is
> "Notepad.exe",
> > see below). As a result, the worm will be activated each time Windows
> starts
> > up.
> > The worm then stays in the system memory as an application (visible in
the
> > task list) and runs two processes: its spreading process and backdoor
> > process.
> > The spreading process spreads the worm copy through the local network to
> > drives that are shared for reading/writing. The worm enumerates network
> > resources and looks for "WIN" string in their names. If such a string is
> > found from the name (i.e. Windows directory on a remote computer), the
> worm
> > looks for NOTEPAD.EXE in there, renames it with a new name NOTE.COM and
> > writes its copy with the name NOTEPAD.EXE.
> > As a result the original NOTEPAD.EXE can be found with NOTE.COM name on
> the
> > affected computer (it is used by the worm to run original Notepad when
the
> > worm completes its routines), and the worm code is present in
NOTEPAD.EXE
> > file. The worm will be activated when a user runs Notepad on the
affected
> > machine.
> > The backdoor routine is quite simple. It supports just a few commands:
Run
> > (to run specified file), Upload (to create a file on affected machine)
and
> > Quit (terminate the worm routines). There are just three commands, but
> that
> > is enough to install any other (more powerful) trojan/virus to the
> computer.
> >
> > The worm also sends a notification to its "host" (worm's author?). This
> > e-mail message is sent to some address in China. The message contains
the
> IP
> > address(es) of infected machine.
> > Before disinfection, please download and run the special REG file that
> will
> > remove worm's registry entry from the system:
> > ftp://ftp.europe.F-Secure.com/anti-virus/tools/qazdisin.reg
> > <ftp://ftp.europe.F-Secure.com/anti-virus/tools/qazdisin.reg>
> > Then restart the system and perform disinfection from either DOS or
> Windows.
> > Finally, rename NOTE.COM file back to NOTEPAD.EXE to have Notepad
> available
> > again.
------------------
Rick
Email: ******@tampabay.rr.com
My Mods & More
[This message has been edited by ****** (edited 10-27-2000).]