Threat description



This is network worm with backdoor capabilities, which spreads itself under Win32 systems. The worm was reported in-the-wild in July-August, 2000. The worm itself is Win32 executable file and about 120K long, written in MS Visual C++.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

When an infected file is executed, the worm registers itself in Windows registry in auto-start section:

 startIE = "filename qazwsx.hsq"

where "filename" is the name of worm's file (usually this is "Notepad.exe", see below). As a result, the worm will be activated each time Windows starts up.

The worm then stays in the system memory as an application (visible in the task list) and runs two processes: its spreading process and backdoor process.

The spreading process spreads the worm copy through the local network to drives that are shared for reading/writing. The worm enumerates network resources and looks for "WIN" string in their names. If such a string is found from the name (i.e. Windows directory on a remote computer), the worm looks for NOTEPAD.EXE in there, renames it with a new name NOTE.COM and writes its copy with the name NOTEPAD.EXE.

As a result the original NOTEPAD.EXE can be found with NOTE.COM name on the affected computer (it is used by the worm to run original Notepad when the worm completes its routines), and the worm code is present in NOTEPAD.EXE file. The worm will be activated when a user runs Notepad on the affected machine.

The backdoor routine is quite simple. It supports just a few commands: Run (to run specified file), Upload (to create a file on affected machine) and Quit (terminate the worm routines). There are just three commands, but that is enough to install any other (more powerful) trojan/virus to the computer.

The worm also sends a notification to its "host" (worm's author?). This e-mail message is sent to some address in China. The message contains the IP address(es) of infected machine.

Here's how the worm looks 'from the inside':

Qaz worm can be successfully disinfected with a fresh version of FSAV and the latest updates for it.

Before disinfection with FSAV, please download and run the special REG file that will remove worm's registry entry from a system Registry:

Then restart a system and perform disinfection from either DOS or Windows. Finally, rename NOTE.COM file back to NOTEPAD.EXE to have Notepad available again.

You can also use a free version of F-Prot for DOS to remove Qaz worm from an infected system. It is a requirement to perform disinfection from pure DOS and to run the above listed REG file before exiting Windows.

For successful disinfection all files detected as Qaz should be deleted from an infected system and NOTE.COM file should be renamed to NOTEPAD.EXE.

Note: to locate an infected computer within a network is possible by checking whether it sends/receives data on TCP port 7597.

[Kaspersky Labs, F-Secure Corp.; October 2000 - January 2001]

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info