"Protecting Digital Assets Worldwide"
2300 Westwood Blvd. Los Angeles, CA 90064
Telephone 310.470.7833

Description

The Anti-QAZ.Worm is the anti-body to the widely distributed computer virus QAZ.Worm (also known as: QAZ.trojan, TROJ_QAZ.A, Chinese Worm, W32.HLLW.Qaz.A, QAZ, W32/QAZ.worm, Note.com, Trojan/notepad).

Description of Adversary

QAZ is a network worm that infects in the fashion of a companion virus and imparts backdoor remote access to the affected machine. This threat does not utilize email as a mechanism for spread. QAZ has been reported in the wild and is believed to have originated in China in mid-July.

There are now 3 reported variants of the original threat.

When the virus program is launched it will search for a copy of notepad.exe and rename it to note.com. It will then copy itself to the computer as notepad.exe. Each time notepad.exe is executed, it will run the virus code and the original notepad(renamed to note.com) to avoid being noticed. It will also modify the following system registry key to execute itself every time the system is booted.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run as value StartIE=notepad.exe

QAz will enumerate through the network neighborhood and find a computer to infect. When it finds a machine, it will infect it by searching for notepad.exe and making the same modifications (rename notepad.exe to note.com). Once the machine is infected, the IP address of the machine will be emailed to the hacker automatically. The backdoor payload in the virus will utilize WinSock and await connection. This will allow a hacker to connect to the infected computer and gain access to the computer.

Although the QAZ worm spreads by checking for only the most obvious mis- configuration problems, it has spread quickly across the Internet through large cable modem, DSL and other networks. Once inside a firewall it is likely to spread even faster on the supposedly trusted network where attention to configuration might be even more relaxed. The exponential potential for the worm to spread makes it difficult to handle as it can infect new machines much faster than the infected ones can be cleaned. Current reports indicate that the QAZ.Worm Trojan Horse is the worlds # 4 most virulent piece of malicious code.

Functions

The Anti-QAZ worm works by passively listening for NetBIOS connections from other machines which could be the QAZ worm attempting to spread. The Anti-QAZ host then checks the machine making the connection for the presence of the QAZ worm.

Once an infected machine is found, there are several options for how the Anti-QAZ worm might proceed which depend on the type and size of network and the level of protection needed.

In its simplest form, the Anti-QAZ worm can notify an administrator of the probe from the infected machine, but it can also actively install itself onto the infected machine. Once on the infected machine, it will remove the QAZ worm, restore the files the QAZ worm moved or modified, and then depending on its configuration, either remove itself or begin listening for further probes from other infected machines.

While the Anti-QAZ worm is on a computer listening for probes, it will prevent the NetBIOS shares of that machine from being connected to.

This prevents re-infection via the same method the QAZ would have spread through: unpassworded sharing of the boot drive.

The Anti-QAZ worm installs an icon into the system tray of the machine it is on which displays a GUI with a various messages. ("Open a web browser to a configurable URL", "exit" or "uninstall the Anti-QAZ worm", "help")

The QAZ worm spreads by scanning random subnets in the same class B as itself for Win9x boxes with their boot drive exported with no password. If the worm is on a machine with the IP address 10.200.100.5 it might scan subnets in the range 10.200.0.1 to 10.200.255.254, that is 65,534 machines.

On a large internal network with many Win9x machines, it can spread exponentially as each infected machine will begin scanning for other machines to infect. On a large network the Anti-QAZ worm can be configured to provide exponential protection, as each infected machine that probes a machine running the Anti-QAZ worm will then begin protecting against QAZ probes.

The QAZ worm infects a machine by renaming notepad.exe to note.com and copying itself to notepad.exe's former location.

The next time notepad.exe is run on that machine, the QAZ worm installs itself into the registry so it will be run at startup every time the computer is rebooted, then executes the original notepad (now named note.com) with the parameters passed to it so that it appears notepad executed normally.

The Anti-QAZ worm detects the presence of the QAZ worm remotely by looking for note.com.

It installs itself on the infected machine by copying itself to the Startup folder where it is executed during the next boot.

When the Anti-QAZ worm is executed for the first time, it terminates the running QAZ worm, renames notepad.exe (which is actually the QAZ worm) to "QAZ-Worm-Do-Not-Run.ex_" and renames note.com back to notepad.exe so the system again functions normally.

It also removes the registry keys that the QAZ.worm added to have notepad.exe re-run at startup.

At this point, depending on its configuration, it can copy itself to the Windows directory and add itself to the registry so that it is run the next time the computer is started, and removes itself from the Startup folder (the files are actually removed from the Startup folder during the next boot).

The Anti-QAZ worm will bind to TCP port 139 (the NetBIOS session port) all IP addresses assigned to a machine as they are added (for instance when a new dialup or VPN connection is created). The primary Anti-QAZ host can be configured with as many IP addresses as the NIC supports, each address in a different class C network, thus increasing the chances of picking up the random sweeps of the QAZ worm.

For instance if the internal network to be protected was an entire class B network with the address range 10.200.*.*, the primary Anti-QAZ host could be configured to listen on the addresses 10.200.5.1, 10.200.10.1, 10.200.20.1, etc.

The main feature of the Anti-QAZ worm that must be carefully configured is the spread count. Set to 0, it simply logs the machines that are infected with the QAZ worm. Set to 1, it will remove the QAZ worm from machines that probe the main host that the Anti-QAZ worm is running on.

Set to 2, each infected machine that probes the original Anti-QAZ host will also become an "Anti-QAZ host" until it is removed from that machine. Set to 3 or greater, it becomes a true worm, turning each infected machine into an Anti-QAZ host when the infected machine probes the Anti-QAZ host.

The Anti-QAZ worm can be configured to notify (via email) an administrator each time an Anti-QAZ host detects an infected machine.

The greatest risk of this worm spreading out of the original network it was deployed on is also the most likely way the worm would gain entry to a network: Employees taking computers from the internal network home and installing them on their cable modem or DSL or even dialup connections. If the spread count is set to a large number, the Anti-QAZ worm could continue to spread outside of the internal network.

One critical point to keep in mind is that the Anti-worm is ENTIRELY PASSIVE. There are numerous scenarios where an actively scanning worm would cause problems on a network, but the Anti-worm DOES NOT ACTIVELY search for infected machines, it passively waits for them to probe the machine it is running on.

The ONLY machines it checks for being infected with the QAZ worm are those that attempt to connect to the NetBIOS shares of the machine the Anti-worm is running on. Because of this, the rate of propagation is directly proportional to the severity of infection on a network.

The more infected machines there are on the network scanning for other machines to infect, the greater the chance that a machine with the Anti-worm will be scanned. The more machines with the anti-worm installed on them, the greater the chance one of those machines will be scanned by an infected machine.

The Anti-worm works to minimize the amount of network traffic that it generates by keeping a list of machines it has already checked for the presence of the QAZ worm. This list is reset when the Anti-worm is exited or the machine is rebooted.

Future updates

Update 1

Update 2

Update 3

Update 4

Update 5