Advertisement
 
To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------
Qaz.trojan infects networks

By Robert Vamosi, 0
November 02, 2000
URL: http://www.zdnet.com.au/news/security/soa/Qaz-trojan-infects-networks/0,130061744,120106652,00.htm


There's a new Trojan horse in town called Qaz.trojan (W32.HLLW.QAZ.A). This malicious code spreads within a network of shared computer systems, infecting the Notepad.exe file.

Trojan horses are often not one but many smaller programs bundled together, and one malicious program particular to the Qaz.trojan will open port 7597, allowing a hacker to come along later and gain access to the infected computer. Qaz.trojan requires a user on an infected system to open the Notepad.exe file.

How it works
Although it may have originally spread as an e-mail, a download from a Web site, or through IRC chatrooms, Qaz.trojan now spreads within local-area networks. If the user of an infected system opens Notepad, the virus is run. Qaz.trojan will look for individual systems that share a networked drive, then seeks out the Windows folder and infects the Notepad.exe file on those systems. Qaz.trojan first renames Notepad.exe to Note.com then creates the virus-infected file Notepad.exe. This new Notepad.exe has a length of 120,320 bytes.

Qaz.trojan rewrites the System Registry to load itself every time the computer is rebooted. Users monitoring their open ports may notice unusual traffic on TCP port 7597 if a hacker connects to the infected computer.

How To detect and remove Quaz.trojan
To detect and remove the Qaz.trojan on your own, follow these steps:

Search for the Notepad.exe file within the local Windows folder. If Notepad.exe has a length of 52,000 bytes (52KB), do not delete it. This is the normal system program. However, if Notepad.exe has a length of 120,320 bytes, delete it, then search for the existence of another file called Note.com and rename that file to Notepad.exe.

Remove the following registry key: HKLM\Software\Microsoft\Windows\ CurrentVersion\Run as value StartIE=notepad.exe

Search for the above on all other machines on your network to find any other infections. Repeat the above steps if necessary.

Qaz.trojan protection


To protect your system from the Qaz.trojan virus and other malicious viruses:
  • Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these five star programs then following the installation instructions. If you're on a network, check with your network administrator first. If you're not sure if your existing anti-virus software is up-to-date, scan your system for free to find out.
  • Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start your PC clean and free of virus problems. Often the anti-virus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.
  • Update your anti-virus software. Now that you have virus protection software installed, make sure it's up-to-date. Some anti-virus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.