Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Qaz


Aliases:


Qaz
Worm.Qaz, Worm_Qaz, W95/Qaz.110549

Malware

W32

Summary

This is network worm with backdoor capabilities, which spreads itself under Win32 systems. The worm was reported in-the-wild in July-August, 2000. The worm itself is Win32 executable file and about 120K long, written in MS Visual C++.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

When an infected file is executed, the worm registers itself in Windows registry in auto-start section:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  startIE = "filename qazwsx.hsq"

where "filename" is the name of worm's file (usually this is "Notepad.exe", see below). As a result, the worm will be activated each time Windows starts up.

The worm then stays in the system memory as an application (visible in the task list) and runs two processes: its spreading process and backdoor process.

The spreading process spreads the worm copy through the local network to drives that are shared for reading/writing. The worm enumerates network resources and looks for "WIN" string in their names. If such a string is found from the name (i.e. Windows directory on a remote computer), the worm looks for NOTEPAD.EXE in there, renames it with a new name NOTE.COM and writes its copy with the name NOTEPAD.EXE.

As a result the original NOTEPAD.EXE can be found with NOTE.COM name on the affected computer (it is used by the worm to run original Notepad when the worm completes its routines), and the worm code is present in NOTEPAD.EXE file. The worm will be activated when a user runs Notepad on the affected machine.

The backdoor routine is quite simple. It supports just a few commands: Run (to run specified file), Upload (to create a file on affected machine) and Quit (terminate the worm routines). There are just three commands, but that is enough to install any other (more powerful) trojan/virus to the computer.

The worm also sends a notification to its "host" (worm's author?). This e-mail message is sent to some address in China. The message contains the IP address(es) of infected machine.

Here's how the worm looks 'from the inside':

Qaz worm can be successfully disinfected with a fresh version of FSAV and the latest updates for it.

http://www.europe.f-secure.com/download-purchase/ http://www.europe.f-secure.com/download-purchase/updates.shtml

Before disinfection with FSAV, please download and run the special REG file that will remove worm's registry entry from a system Registry:

ftp://ftp.europe.F-Secure.com/anti-virus/tools/qazdisin.reg

Then restart a system and perform disinfection from either DOS or Windows. Finally, rename NOTE.COM file back to NOTEPAD.EXE to have Notepad available again.

You can also use a free version of F-Prot for DOS to remove Qaz worm from an infected system. It is a requirement to perform disinfection from pure DOS and to run the above listed REG file before exiting Windows.

ftp://ftp.europe.F-Secure.com/anti-virus/free/ ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/

For successful disinfection all files detected as Qaz should be deleted from an infected system and NOTE.COM file should be renamed to NOTEPAD.EXE.

Note: to locate an infected computer within a network is possible by checking whether it sends/receives data on TCP port 7597.

[Kaspersky Labs, F-Secure Corp.; October 2000 - January 2001]







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.