Worm.Win32.QAZ

Class Worm
Platform Win32
Description

Technical Details

This is a network worm spreading under the Win32 systems with backdoor abilities. This worm was reported “in the wild” in July–August 2000. The worm itself is in a Win32 executable file about 120K in length, written in MS Visual C++.

When an infected file is executed, the worm registers itself in the Windows registry in the auto-start section:

HRLMSOFTWAREMicrosoftWindowsCurrentVersionRun
startIE = “filename qazwsx.hsq”

where “filename” is the name of the worm’s file (usually – “Notepad.exe”, see below). As a result, the worm will be activated each time Windows starts up.

The worm then stays in the system memory as an application (visible in task list) and runs two processes: spreading and backdoor.

The spreading process spreads the worm copy through the local network to drives that are shared for reading/writing. The worm enumerates the network resources and looks for a “WIN” string in their names. If such a string is present in the name (i.e., that is Windows directory on remote computer), the worm looks for NOTEPAD.EXE in there, renames it with NOTE.COM and writes its copy with the NOTEPAD.EXE name.

As a result, on the affected machine, the original NOTEPAD.EXE can be found with the NOTE.COM name (it is used by the worm to run the original Notepad when the worm completes its routines), and the worm’s code is present in the NOTEPAD.EXE file.
The worm will be activated at the moment a user runs Notepad on the affected machine.

The backdoor routine is quite simple. It supports just a few commands: Run (to run specified file), Upload (to create a file on affected machine) and Quit (terminate the worm routines). There are just three commands, but that
is enough to install any other (more powerful) backdoor or any other Trojan/virus on the machine.

The worm also sends a notification to its “host” (worm author?). This is an e-mail message sent to some address in China. The message contains the IP address(es) of the infected machine.