Yuck My computer had WORMS

Grimhun Hroth (Grimmie) grimmie at lovable.com
Tue Sep 19 17:30:50 PDT 2000 

This is a real WARNING not a hoax.
I found that I was infected with W32/QAZ.worm (notepad worm) and also
Network.vbs.

Symptoms were:
1. General slowing of machine.
2. The seemly slowing down of the Internet connection.
3. Lots of lock ups.
4. Lots of internet traffic when there should have not been any.

First thing to check is:
Do a ctl + alt + del and seeif  notepad and network are in the pop up.
If so then you have them. Then go to your Virus scan soft ware web page
get the current dat for
your virus scan software. I used the free 10 trial at
http://www.mcafee.com

I had to remove them by hand. Not that hard.
Possible contamination from a program up date NETWORK (PLUGIN) from a
webpage.
It sent my files all over the internet. Hope they enjoyed the files
nothing much of any interest.
I will watch my CC bills.

R. Dawdy
Grimmie

Bcc this warning to all you know (Please Bcc this)

Virus Name
W32/QAZ.worm
Date Added
8/10/00 10:39:11 AM
Virus Characteristics
This is an Internet worm that also acts as a backdoor. When running, it
listens on TCP port 7597 for instructions from a client component. This
worm also communicates with the IP address 202.106.185.107 which is
physically located somewhere in Asia.

When this trojan is executed, it modifies the registry with this key
value:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq

After the next reboot the worm renames NOTEPAD.EXE in the Windows folder
to NOTE.COM and then copies itself to the Windows folder as NOTEPAD.EXE.

When ever the user runs NOTEPAD, the worm is executed and this then runs
NOTE.COM.

The worm can use network connections to spread to other machines that
allow access to their Windows folders and copies itself as
"NOTEPAD.EXE".

One major significance is the real NOTEPAD.EXE is 52Kb while this worm
is 120,320 bytes.


Indications Of Infection
Existence of "NOTE.COM" and newly created "NOTEPAD.EXE" of 120,320
bytes. Data packet traffic on TCP port 7597.

Method Of Infection
This trojan will directly install to the local system if run. It
modifies the registry to load at next Windows startup.

This trojan is also Network-aware in that it tries to locate systems
using NETBios by "browsing" the network for targets with a shared drive,
where the Windows folder is available, and NOTEPAD.EXE exists in that
folder.

Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to
MS-DOS mode or use an emergency boot diskette and use the command line
scanner such as "SCANPM C: /CLEAN /ALL"

AVERT Recommended Updates:
Note1- Microsoft has released an update for

* Outlook to protect against "Malformed E-mail MIME Header"
vulnerability at this link

* Outlook as an email attachment security update

* Exchange 5.5 as a post SP3 Information Store Patch 5.5.2652.42 - this
patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general
FAQ, visit this link.
Additionally, Network Administrators can configure this update using an
available tool - visit this link for more information.

Note2- It is very common for macro viruses to disable options within
Office applications for example in Word, the macro protection warning
commonly is disabled. After cleaning macro viruses, ensure that your
previously set options are again enabled.


Virus Information
  Discovery Date: 8/7/00
  Origin: Unknown
  Length: 120,320 bytes
  Type: Trojan
  SubType: Internet Worm
  Risk Assessment: Medium
Aliases
Qaz.Trojan, QAZ.worm, TROJ_QAZ.A, Trojan/Notepad, W32.HLLW.Qaz.A


Virus Name
VBS/Netlog.worm.a
Date Added
2/3/00
Virus Characteristics
This is a new Internet-aware VBScript worm. The sample Avert received is
2,429 bytes long. The interesting thing about it is that a person does
not have to manually run a VBScript file, or read an e-mail message to
get infected; it spreads over open network shares.

The first thing it does is look for the file "c:\network.log". If it
finds it, it deletes it. Then it creates a new "c:\network.log" file and
writes "Log file Open" to it. Then it writes to the "c:\network.log"
file this information:

"Subnet : [Random number between 199 and 214].[Random number between 1
and 254].[Random number between 1 and 254].0"

Then it will start to scan the addresses. For instance, if it picked 10,
11, and 12, it would start scanning at 10.11.12.1, then 10.11.12.2, then
10.11.12.3, and so on, until it reached 10.11.12.255, and then it would
randomly pick a new subnet to scan. After it has scanned 50 subnets in
one run, it no longer limits the first part of the Internet address to
numbers between 199 and 214, and can pick any address between 1 and 254.

It is completely possible that in a network infection, this worm can act
as a DDoS (Distributed Denial of Service) attack due to the nature of
DNS server lookup. The operating system will try to find the site
generated using all the DNS servers listed. These queries all eventually
come back to the listed domain server. When enough computers combine
their requests, they eventually overpower the server and it either
crashes or can't service all the inbound requests.

When scanning, it uses Windows NetBIOS to look for open shares called
"C". These are shared drives that users intended to share with their
local network, but inadvertently shared over the entire Internet. It
then tries to map the remote drive as drive "J:"!

If it succeeds it writes

"Copying files to : [Network name of remote drive]"

to the "c:\network.log" file.

First as a test, it copies itself to the root directory of the remote
drive and checks to see whether the copy was successful. If it was, it
writes

"Successful copy to : [Network name of remote drive]"

to the "c:\network.log" file. Then it will copy the network.vbs file to
these directories:

"j:\windows\startm~1\programs\startup\"
"j:\windows\"
"j:\windows\start menu\programs\startup\"
"j:\win95\start menu\programs\startup\"
"j:\win95\startm~1\programs\startup\"
"j:\wind95\"

where J: is the remote drive C: the virus mapped earlier. This means
that the worm gets control next time the victim starts their computer
since J: actually means drive C:.


Indications Of Infection
Existence of the NETWORK.LOG and NETWORK.VBS files as described above.
Note that a normal Windows system will have a file called
"c:\windows\wsh\samples\network.vbs" which is innocent and not related
to this worm.

Method Of Infection
Running this file will directly install to the local machine and then it
will begin scanning for available shares over the Internet.

Removal Instructions
Use specified engine and DAT files for detection and removal. Delete
files found to contain this detection.

As this threat seeks open shares, turn off full share to your system. If
you have to use shares, use password protection to avoid being a future
target.


Virus Information
  Discovery Date: 2/2/00
  Origin: Internet connection
  Length: 2,429
  Type: Trojan
  SubType: VbScript
  Risk Assessment: Low

Aliases
Network.vbs, Trojan.Win32.Netlog

Related Viruses
VBS/Netlog.f , W95/Firkin.worm



--------------------------------------------------------------------------------





============================================================================
Go to http://lists.ansteorra.org/lists.html to perform mailing list tasks.

More information about the Namron mailing list