There's a new Trojan horse in town called Qaz.trojan (W32.HLLW.QAZ.A). This malicious code spreads within a network of shared computer systems, infecting the Notepad.exe file.
Trojan horses are often not one but many smaller programs bundled together, and one malicious program particular to the Qaz.trojan will open port 7597, allowing a hacker to come along later and gain access to the infected computer. Qaz.trojan requires a user on an infected system to open the Notepad.exe file.
How it works
Although it may have originally spread as an e-mail, a download from a Web site, or through IRC chatrooms, Qaz.trojan now spreads within local-area networks. If the user of an infected system opens Notepad, the virus is run. Qaz.trojan will look for individual systems that share a networked drive, then seeks out the Windows folder and infects the Notepad.exe file on those systems. Qaz.trojan first renames Notepad.exe to Note.com then creates the virus-infected file Notepad.exe. This new Notepad.exe has a length of 120,320 bytes.
Qaz.trojan rewrites the System Registry to load itself every time the computer is rebooted. Users monitoring their open ports may notice unusual traffic on TCP port 7597 if a hacker connects to the infected computer.
How To detect and remove Quaz.trojan
To detect and remove the Qaz.trojan on your own, follow these steps:
Search for the Notepad.exe file within the local Windows folder. If Notepad.exe has a length of 52,000 bytes (52KB), do not delete it. This is the normal system program. However, if Notepad.exe has a length of 120,320 bytes, delete it, then search for the existence of another file called Note.com and rename that file to Notepad.exe.
Remove the following registry key: HKLM\Software\Microsoft\Windows\ CurrentVersion\Run as value StartIE=notepad.exe
Search for the above on all other machines on your network to find any other infections. Repeat the above steps if necessary.
