Worm 'QAZ' is an executable .exe file and spreads over Windows 32-bit systems. When activated, it creates a backdoor and a worm component, to ensure its code spreading. It makes the following registry entry, for being opened at the next system start:
[HKLMSOFTWAREMicrosoftWindowsCurrent VersionRun]startIE = "notepad.exe qazwsx.hsq"
'QAZ' spreads on all network drives available, searching for NOTEPAD.EXE and renaming it NOTE.COM, using the required access rights. Then it writes its own program code in a file named NOTEPAD.EXE.
If the user opens the virus program NOTEPAD.EXE, the worm spreads on the system. The user doesn't note the infection, because the real NOTEPAD application will be immediately opened, using the file NOTE.COM.
The backdoor routine is based on three simple commands:
RUN (Starting a program),
UPLOAD (Creating a file on the infected system) and
QUIT (Ending the worm routine).
These three commands are enough for installing a more dangerous backdoor program of a worm or virus on the system.
After infecting the computer, 'QAZ' tries to connect to the Internet. It tries to connect to a Chinese website (http://220.127.116.11), for a possible transmission of the infected computer's IP address. It can not be accessed, because this IP address is blocked. Because this site is no longer available, the Trojan tries to connect again every 4 to 6 minutes. The worm keeps open the existing Internet connections and/or opens them again.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二